Single sign-on aids e-trade

Single sign-on technology is often used within organisations and local area networks (LANs) to authenticate the identity of users. Single sign-on allows users to move between systems without signing on again. The technology offers a number of benefits, and many companies plan to use it more widely. This is likely to encourage more use of Web services, and could build the foundation for improved business-to-business and business-to-employee communications.

Among the firms developing Web services systems are technology giants such as Microsoft, AOL, Sun and HP, as well as major credit card organisations and banks. All this development activity has led to the emergence of several apparently rival systems for single sign-on. The first one to go live, albeit in a basic form, was Microsoft's Passport. Others include the Liberty Alliance project, which released its specifications for a de-centralised single sign-on scheme, described as federated authentication, in July.

Another system is known as Magic Carpet, and is backed by AOL.

The attraction of single sign-on is clear. Anyone who uses information and e-commerce sites on the Internet will know the problems of maintaining multiple user accounts. Different sites use different formats for user identity, making it hard to avoid the bad practice of keeping written lists of IDs and passwords.

In addition, every time a user registers with a new site, the same information is likely to be submitted - a time-consuming process. And each site must be logged into separately, which limits the user's ability to move from one site to another - to follow an advert or special offer, for example.

Single sign-on offers a solution, allowing the use of the same account details on multiple sites, preferably without having to log in again when moving between sites. This is relatively easy to set up within a single organisation, where the security infrastructure can be shared, but it is more difficult between organisations.

Microsoft's Passport initially enabled single sign-on for Microsoft services such as MSN and Hotmail, but was subsequently made available to third-party sites too, if they were willing to let Microsoft handle authentication for them. One of the biggest firms to sign up was an existing Microsoft partner, US bank and credit card provider Citigroup.

Microsoft says there are more than 200 million Passport users worldwide.

However, in a survey by analyst firm Gartner Group, 84 percent of registered Passport users said they adopted Passport only because it was a requirement to gain access to a Microsoft service; only two percent said they adopted it to avoid the need for multiple IDs and passwords.

Passport is a key part of Microsoft's dot-Net platform for Web services, but it attracted bad publicity following the discovery of security vulnerabilities in the system last year. Microsoft seems to have taken the resulting criticism seriously. It has fixed problems in Passport and Hotmail, and spent a month checking code to improve the security of its products. Microsoft has also announced that it will move to a model based on the open Kerberos standard later this year.

Kerberos

Named after the three-headed guardian dog of Greek mythology, Kerberos is a secret-key mechanism for authentication within heterogeneous networks, and was developed by the Massachusetts Institute of Technology in the US.

"Kerberos will be the base standard for Passport as we move forwards," says John Noakes, Microsoft's dot-Net policy and regulatory affairs manager.

"We will release a software development kit in a year or so to help people use Kerberos ticketing with Passport." He adds that Microsoft's plans for Passport include the use of technologies such as digital certificates, smartcards and biometrics.

But for now Passport relies on a user name - typically an email address - and password for authentication, which does not offer a high level of security, say critics. They add that the fact that a single organisation is storing personal data and access details for millions of users may make it a tempting target for hackers.

Many firms do not want to cede control of their customers' data to a third party such as Microsoft. This is one reason for the creation of the Liberty Alliance. Its 100-odd members include telecoms companies such as France Telecom, Vodafone and NTT DoCoMo, financial heavyweights American Express, MasterCard and Visa, plus General Motors, United Airlines, AOL Time Warner, Sony and other large corporates.

Sun says that authentication for its Sun One Web services system will conform to Liberty specifications; and Novell has unveiled a Liberty-compliant identity management solution, codenamed Saturn. Other alliance members such as RSA, Entrust, NeuStar and Communicator have also announced plans for products that implement the Liberty specifications.

These companies share a vision of a federated authentication system, in which a Web site could use one or more authenticators to verify the identity of a visitor.

Trust networks would then evolve so that users authenticated by one company would be able to move to a site authenticated by another. The authorisation process - assigning users specific rights on each site based on their authentication - would still be handled locally.

Eric Dean, chairman of the Liberty Alliance Management Board and chief information officer of United Airlines, argues that few firms, not even Microsoft, believe that all identification data should be held in one place. The door is open for a federated system to include Passport, Magic Carpet and others, he adds.

Noakes agrees that Microsoft now sees advantages in a federated model.

He adds that Microsoft has so far been unable to agree terms to join the Liberty Alliance, but this may change in the future. "The Liberty Alliance is a strong collection of companies come together to agree specifications for single sign-on on the Internet," Noakes says. "Microsoft isn't on a different path - the overall objective for all single sign-on is true interoperability."

An open and interoperable standard for network identity would be useful not just on the Internet, where it could bring new e-commerce opportunities and economies of scale, but also within corporate intranets to secure business-to-business and business-to-employee communications.

Many observers argue that the federated model should allow existing authorisation mechanisms and user interfaces to remain in place within organisations - protecting their investments while enabling interoperability.

Strong authentication systems must also ensure non-repudiation - using cryptographic and/or other techniques to verify that the user is who they claim to be and cannot later deny or repudiate it - hence the move towards technologies such as smartcards and biometric security devices, which register users' physical characteristics, such as fingerprints.

The obstacles to single sign-on do not only involve the technology; there are also business issues to be addressed, including the question of who has liability if identities are misappropriated. "For example, if someone logs onto the Sony site with my ID and buys an airline ticket, who is liable? Today it's the merchant," says Dean.

Commenting on the progress of the Liberty Alliance project, Dean says, "The first release (of the Liberty Alliance specification) keeps the existing accounts with each site. It shares no information between sites except the fact that you logged on. The next round of specifications will include profile or e-wallet sharing."

Dean adds that it is up to each company to decide first if it wants to share this data, then the user will be asked if they want their account to be shared from one organisation to another. "There is a lot of caution here," Dean says. "It is a huge step up in privacy concerns when you go to sharing user information - that's a substantial incremental debate."

Customer choice

Despite the progress and growing use of single sign-on, it is unlikely that there will ever be a unified system for all purposes. One reason for this is that users may want to retain individual accounts for some sites, or may want different accounts for different purposes, and companies will need to build online client relationship models that allow for this.

Dean offers the analogy of store cards and credit cards, pointing out that most stores accept credit cards, but credit cards have not supplanted store cards.

Dean adds, "Credit cards aren't the only form of ID though, there are also loyalty programmes, driving licences and so on. There probably won't ever be one sign-on for all purposes. Similarly, my mailing address could be my home, or my summer home if I had one, or my office or a post office box. Which one I use is a function of my relationship with the service."

Have your say: contact IT Week