During my 20-plus years in the IT industry, single sign-on has been the Holy Grail for people who use multiple disparate systems and applications. There are separate passwords for the PC, the mainframe, the accounting application and the sales-tracking application. Because I'm the same person, you'd think I'd only have to sign on once and my identity could be passed among them.
The epic march toward global authentication takes on new meaning when we look at the Web and all the places there where you have to confirm your identity. It will only get more complex when Web services take root in the coming years.
Several companies and consortia are tackling the problem of Internet identity management. All hope to be the first to the finish line for worldwide adoption, as the winner gets to define a very important set of standards. The major players in this arena are Microsoft Corp., with its Passport authentication scheme; The Liberty Alliance Project, a consortium of several numerous technology and business players that advocate an open standard; and AOL Time Warner Inc., with its Magic Carpet. As you might expect, none of the solutions are compatible.
In this latest "space race," the major issue is the planned scheme for storing and managing identity information. Should one company hold all the identity information? Should it be a third-party, federated solution? If multiple sources hold the identity database, how would they interact?
When I recently wrote about Internet authentication for Network World's Technical Executive Newsletter, I found people are very passionate about the problem. Obviously, this is a technology in development that is well worth watching. Network managers will want to know who is authorized to use their networks and how. Application developers will need to know which standards to support and the APIs to which to write. End users will want to know how and by whom their personal information is being used.
The concept of single sign-on is noble. But the road to this nirvana is riddled with potholes.
For one thing, privacy groups grow alarmed when they think about your identity information (including credit card numbers and Social Security number) passing from site to site without your intervention. Although safeguards would protect and limit what data is transferred, safeguards can be circumvented. This is true no matter which of the three authentication schemes ultimately wins the war. As if to reaffirm this concern, hackers have already broken into the Passport Internet Authentication service, shutting it down for two days recently.
Who keeps the identity database is a key issue. Currently, Microsoft keeps a centralized database with the Passport identity information. Critics are fearful Microsoft may use the collected information for marketing or other selfish purposes. It appears the company may bow to pressure from critics who want a neutral third party to hold the database.
For its part, The Liberty Alliance Project already has said it would use a multiparty federated database. The group likens it to our nationwide credit card system, where there are essentially two clearinghouses that determine if a charge should go through or not. Having an impartial entity hold the data is essential to boost the confidence of privacy advocates.
The Liberty Alliance Project intrigues me. The group has a daunting task as it tries to develop an all-encompassing, yet neutral, technology and policy solution. Yet, looking at the players committed to this project (Sun Microsystems Inc., American Express Co., AOL Time Warner, Bank of America Corp., Dun & Bradstreet Corp. and United Air Lines Inc., among others), I have to think broad acceptance of whatever solution the coalition develops is a given.
I believe we'll end up with both Passport and the Liberty Alliance Project as our "standards" some day, and systems integrators will get rich trying to make them work together. Better bone up on your programming skills.
Musthaler is vice president of Currid & Co., a US technology consulting firm. She can be reached at firstname.lastname@example.org.