Avoiding a digital identity crisis

The number of keys on a key ring is arguably a measure of status. Who knows what exotic locations or critical functions may be unlocked by those little pieces of metal?

Unfortunately, owning 40 user ID and password combinations offers no meaningful peer respect or acclaim, and is even less convenient to carry around than a football-sized key ring.

Between work, home and a growing number of online government services, password management is rapidly getting out of control.

It may never be possible to remember just one password, or rely on just one smartcard, for every single digital transaction and log-on.

"We believe that most users don't want a single identity, but want to reduce the number of IDs they are asked to maintain to a manageable level," said Paul Madsen, security architect at Entrust and spokesman for the Liberty Technology Expert Group.

Analysts seem to agree that such a goal is not particularly feasible. In a recent report AMR Research analyst Cate Quirk warned that "organisations need to realise that access management is not yet ready to provide control over all applications [web-based or legacy], and that this may never be the case".

But even modest progress could save considerable time and make e-commerce less of an obstacle course.

The typical consumer scenario for single sign-on envisages a world where the user books airfare, hotel, car and livery service, crossing sites to find the best arrangement but carrying the certification from the first user ID and password request through the entire process, rather than starting the introduction process anew at each stop.

The two major emerging technologies for the consumer component are Microsoft's Passport, already deployed on dozens of sites, and the emerging standards from the Liberty Alliance trade group.

Although they share similar goals, the two use different security and authentication standards. Liberty adopted the Security Assertion Markup Language (SAML) approach from the Organisation for the Advancement of Structured Information Systems (Oasis) standards body.

Passport uses Kerberos, with supporting security components based on the Web Services Security specification, also defined by Oasis.

Unlike Passport, which is visibly deployed today and has a very defined business model, Liberty does not specify a particular business model for its technology.

More than 120 member organisations work to define the specification and represent varying levels of commitment to either deploy and participate in federated, shared identity networks, or to help implement them for others.

Papers, please
At the most trivial level, Passport is a single sign-on to most of Microsoft's consumer-facing properties, such as Messenger and Hotmail. QXL, eBay, and former Redmond sibling Expedia also take part.

The Passport licensing schedule calls for an annual £6,600 fee plus a £1,000 "periodic compliance testing fee".

There are no incremental costs for per-user or per-incident authentication. In the Passport model, member sites accept Kerberos credentials from the Microsoft server that a user has been verified as genuine.

In the Liberty model, trusting partners share credentials through SAML tags. Future versions of the Liberty standard promise opt-in identity and profile sharing.

Account linking is a feature (but not an obligatory one) of Liberty. The specification provides for unique IDs to be sent by an authentication server to each 'relying' site, making it difficult to merge data without permission.

Unlike Passport, Liberty is not a monolithic sign-on network. It is simply a standard for sharing authentication.

While some Liberty position papers highlight the concept of truly shared, federated security, at least some of the proposed business models to actually implement Liberty-based identity are based on a hub-and-spoke model, where a large central partner controls authorisation for a satellite group of related firms in a 'community of interest'.

"He who enrols owns the customer," explained Andy Eliopolous, director of network identity at Sun Microsystems which, possibly, is also the point behind Passport.

The central server model could lead to a world of digital identity dominated by the same names that overshadow the world of consumer and light-corporate finance.

"With American Express, MasterCard, and Visa involved [as prominent Liberty sponsors], it is likely that they will be able to generate large communities of interest," said Gartner research director Ray Wagner.

"As consumers, we may be more interested in trusting a credit card organisation than we are in trusting some e-tailer, and most organisations would probably prefer to use their own [authentication] services rather than create their own."

The consumer-facing firms already have established data traffic with those credit agencies.

Using the Liberty model sites can request additional information, and the SAML authentication sent back from the identity server can reflect the strength of a sign-on, giving a higher grade for an identity verified through a public key infrastructure (PKI) device or biometric reading.

Beyond the Password
Single sign-on must stand for more than a universal password if it is to be truly useful beyond the basic 'airline and hotel' examples: it needs hardware as well.

Smartcard technology is certainly mature and portable but, despite efforts to push them out to the mass market embedded in phone and credit cards, smartcards remain very narrowly focused on individual solutions, such as protecting an office, or tracking a credit balance for a particular type of device.

Although smartcards have been reportedly poised to redefine authentication for at least the past 15 years, Wagner pointed out that the hardware simply isn't prevalent enough yet.

"Until we all have built-in smartcard readers [on PCs and notebooks], we will not switch," he explained. "I would say that the value to a consumer is more ephemeral than it is to business."

One of the largest 'community' deployments of smartcards is now underway at the US Department of Defense, which has signed contracts to equip all its personnel with smartcards by the end of 2003.

While it is unlikely that the certificates in the Common Access Card framework will be made available to non-government entities, smartcard advocates welcome any opportunity to train people in the technology.

For more complex problems of identity that still want to retain ties to the Passport world, Microsoft is marrying Passport to an Active Directory through a new proxy layer, known as TrustBridge, due at the end of 2003.

While Liberty-based systems are not yet up-and-running, other firms are already trying to bring universal digital identification to the business world. One approach involves making traditional banks the identity authorities in online and digital signature transactions.

"Banks have a 400-year history of doing authentication," said Greg Worch, chief marketing officer for e-commerce specialist Identrus.

The Royal Bank of Scotland is one of more than 60 financial institutions offering PKI-based digital signature services through its TrustAssured unit.

The technology is based on the Identrus specification, which acts much like a credit card clearing house, but for bank-issued identity certificates instead of card numbers.

Banks issue electronic signature passwords or tokens to clients, who can then use those to make electronic transactions with an identity guarantee, backed by the issuing institution and, ultimately, the authentication contracts in force at Identrus.

Federated national security?
It seems too early to expect governments to embrace the single sign-on approach, although there are pockets of activity that point to important stepping stones.

Last year, the French tax authority commissioned Novell to implement a directory-based sign-on system for 35 million taxpayers that provided a single point of authorisation, but varying degrees of access depending on the profile of the user, cutting out multiple sign-on interfaces for citizens and employees.

But because of the highly political nature of what would amount to a national digital ID, neither Microsoft nor the Liberty Alliance members interviewed could confirm plans to aggressively push their solutions into government systems.

Also, many government services that lend themselves well to automation would not be well served by a regional or even national authentication system.

To process a road repair report, it is not important to certify that the request is being submitted by a resident of that town, county, or even country. All that is truly important is that someone noticed the hole and took the time to notify the council.

SUMMARY

• The single sign-on market has three main players: Microsoft, Sun Microsystems and the Liberty Alliance.
• Microsoft's Passport is one of the most widely used, as it is the sign-in system used for the Hotmail email system.
• The Liberty Alliance does not control a single product, but lays down a specification to which Liberty-compatible services must adhere.

FURTHER READING

Home of the Liberty Alliance group:
www.projectliberty.org

Microsoft's Passport product site:
www.passport.com

SHRINKING THE CORPORATE KEYRING

Sun Identity Server is the first Liberty-enabled product, available in limited release, but so far Sun Microsystems' client examples are internally focused.

One large US bank uses the established Identity Server product as a single sign-on front end to its disparate data sources, allowing employees to move client information through the system more smoothly than with previous paper-based and multiple sign-on processes.

Expect that trend to continue, as companies realise that they may be better off unifying their in-house sign-on processes before they worry about federating customer authentication.

Novell solutions marketing director Dave Cotterill noted that in part the push to deploy enterprise-wide single sign-on is coming not from IT or business leaders, but from risk management advisers trying to clamp down on vulnerabilities to intellectual property and corporate stability.

Aside from eliminating password support overlap, visionaries are hopeful that the federated security approach will allow corporate intranets to share authentication with external partner sites, without having to build an expensive portal to aggregate the data. The other advantage to internal single sign-on is a single cut-off point.

A prerequisite to deploying single sign-on within a firm is an authoritative data source that the entire organisation can trust.

Andy Baldin, Novell solutions marketing director, suggested that, in most organisations, this will come either from the IT department in the form of directory-based authorisation, or from the central human resources system.

Once an authorisation framework is extended to partners or customers, the HR solution loses a great deal of its lustre, since records of the outside users will not be available on the system.