The Future Of Web Authentication
After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.
Federation To Solve Inconvenience Issues
Federation protocols and other single sign-on back-end standards could provide a missing piece to the authentication puzzle. These standards offer the technical framework to let people use a single set of credentials to log in to numerous sites without sharing their login credentials with all those sites.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
Leading the way on this front is OAuth, the open standard that powers Facebook's third-party single sign-on service that lets a user log in to a huge number of consumer Internet sites using a Facebook login. It's also the protocol behind similar efforts at Twitter and Yahoo.
"The reason we created OAuth was so that you don't give your user name and password to a third party," says Bradley of Ping. If you're logging in by giving an application access to your Twitter account through OAuth, "the third-party site gets a token for accessing that user's authenticated identity but never actually gets your user name and password."
So while it doesn't solve the problem of strong authentication at the relying party that provides the initial authentication, it does allow for a much simpler user experience and shields the user's identity. People deal with fewer passwords and are less likely to reuse them. And it also gives you an HTML plane where you could insert a federated identity that depends on a stronger authentication factor, Bradley says.
Bradley is seeing a movement among the large providers he works with via the Open ID foundation to start accepting each other's federated logins to reduce the amount of fraud. Federated credentials let people choose strong credentials through a federated identity provider. This approach could sidestep concerns of users who want strong authentication and the convenience of a single sign-on process, without having to trust a social media provider such as Facebook with even more details about their lives.