Federation shows the way forward with ID security

PUBLISHED : Tuesday, 27 September, 2005, 12:00am
UPDATED : Tuesday, 27 September, 2005, 12:00am

System enables users to sign in once in trusted environment

BEING ABLE to establish and protect one's identity on the internet is becoming increasingly important as companies do more business online.

If you walk into a bank, you can show the bank manager an ID card with your picture - you are identified. But how does that work over the internet?

A few years ago, Microsoft made an attempt to deal with this problem when it created Passport. The idea behind Passport was something called 'single sign-on authentication'. This would work as a digital 'ID card' that could be recognised all over the internet. The idea caused a stir, however.

Many observers did not like the idea of a single company controlling so much sensitive data, especially by a company that had acquired a less than exemplary track record in security. Another problem was Microsoft's tendency to go its own way with proprietary technology to the detriment of other companies.

Enter the Liberty Alliance.

Donal O'Shea, executive director of Liberty Alliance, was recently in Hong Kong to explain to potential allies and partners what he does.

'The Liberty Alliance was formed to create an open alternative to Microsoft's proprietary Passport initiative,' he said. 'We began in 2001 and now that we have accomplished that goal - the Liberty Alliance exists to solve real-world identity problems. Our members identify a market requirement and then work collectively and quickly to deliver a real-world solution that could be based on technology, business guidelines, privacy best practices or a combination of all three.'

For example, logging on to an airline website to buy a ticket and then deciding to hire a car at the destination would usually require the customer to give his or her details twice - once to the airline company and then again to the car rental company. However, with the technologies and business practices worked out by the Liberty Alliance it should be possible to sign on once and allow the first company to 'forward' your 'identity' to the second, Mr O'Shea said.

The key concept behind this was 'federated identity management'.

'Federation offers businesses, governments, employees and consumers a secure and convenient way to control identity information,' he said.

'A federated network identity delivers the benefit of simplified sign-on to users by allowing them to link elements of their identity between accounts without centrally storing all of their personal information. This increases security and delivers better identity control. With a federated network identity approach, users authenticate once in a trusted environment, while still retaining complete control over their personal information.'

The technology necessary to make this happen is the Security Assertion Markup Language (SAML). This has been adopted by the Organisation for the Advancement of Structured Information Standards and the Liberty Alliance.

As always with technology, however, not all players agree.

Microsoft and IBM want to propose a different standard, but the weight at the moment would seem to be behind SAML 1.1 and organisations such as the Liberty Alliance. Nevertheless, Mr O'Shea said he would welcome Microsoft should the company choose to join.

Asked if Microsoft was being put under pressure to join the alliance, he said he hoped so.

'We regularly extend an invitation,' he said.

'The marketplace needs a single coherent solution to the digital identity problem. Given the kinds of problems we are talking about - for example, allowing internet users to access any and every website without having to sign on individually to each - multiple technical solutions will multiply the expense to the IT community which will have to implement a 'stack' to support each solution.'

He said the reaction to his ideas in Hong Kong had been positive.

'We were delighted at the volume of input we received, and the ideas we had not thought of from Hongkong Post [a Liberty Alliance member] and the [transport and logistics] industry, both of which in Hong Kong are at the leading edge of networking use,' he said.

His discussions with regional leaders also went well.

'It was very clear from our visit to Hong Kong and Singapore that there is a wide understanding of the problem, and in many cases individual organisations have taken steps to address it, either by implementing a partial solution for a subset of their customers or by deciding to purchase a Liberty-enabled product from one of the many companies that provide them.'

Mr O'Shea said a great deal more needed to be done and he expected to be back in Asia soon.