Identity management is a popular topic these days. But unlike previous technology flavors of the month -- VOIP (voice over IP) and Bluetooth networking come to mind -- identity management is important to business and consumers alike. As I've said elsewhere, without a simpler way to handle identity transactions, the Web services model that we're all scrambling toward will fail.
The first Liberty Alliance specifications, released at The Burton Group Corp.'s recent Catalyst conference in San Francisco, address SSO (single sign-on; or simplified sign-on, as some prefer). The specs finally offer a credible start to the process of creating a true federated identity management scheme. (I'm now in the middle of wading through the documentation, and I'll discuss what I find at length in a future column.)But there remains a false assumption in most discussions of SSO: the idea that individuals only want to present one face to the electronic world. Based on my own experience, I'm not buying it.
For starters, I figure that my online activities fall into one of at least three categories: work-related, personal, and private. The sites I visit for my work include vendor information sites, publications, and so forth. The sites I visit in my personal time would include my bank, my HMO, and other publications, with a certain overlap between the sites I read for fun and those I do for work.
Finally, there are sites I categorize as "private," which appeal to my outlaw or prurient instincts, and shame on you for imagining what those might be.
I reckon some readers have thought about this even more than I, and I'm sure you will posit more possibilities than the three I just outlined. But for now, let's stick with these three for our discussion.
The problem lies in the overlapping between the three categories. I need to bring some of my "personal" attributes into the office -- whether I'm working in the InfoWorld Test Center lab, on the road, or at home. For example, my personnel record contains more than just work-related information; it also contains my Social Security number, a copy of my passport -- the kind issued by the State Department, not Microsoft -- and my bank routing numbers for the payroll folks.
But you can bet your sweet bippy that I emphatically do not want my "private" attributes following me to work. Yet there's no reason why I wouldn't link at least some, if not all, of my work-related identities together and include some of my "personal" identities with them. I might even want to link the "private" identities, even if I don't link them to anything in my public personae.
Any identity management scheme has to take these three aspects of a person's identity into account if it's going to achieve the support and usage needed to be truly beneficial. It doesn't matter if your focus is b-to-b, b-to-c, or as I put it, "b-to-star" -- business to whatever. Role-based authentication sounds nice, but in practice it is difficult to pull off. Ultimately, access rights and their like have to be applied to real, individual people and their multiple personae.