Federated identity management

Another lovely technical subject. Another unfulfilled promise. Did you ever hear of a universal single sign-on? Open market for identity providers? User-centric identity systems? If you did not, then you are not the only one. The marvellous technology did not scale globally. Why? Trust, of course trust. Or the lack of it.

Federated identity works on the simple premise: that one party authenticates you so that the other does not have to. So that you have only one log-in name and password, and if you log-in – say – to LinkedIn, it internally goes to Facebook to check with Facebook that you are truly you. And, of course, the other way round.

Sadly, this requires a large amount of trust between different sites – much more than there is. Disclosing secrets to someone who has been authenticated by someone else sounds like an impossibility even to the least experienced security managers. As a consequence, we have federated identity management within confines of a single organisation (where trust is implied anyway), but not where we really need it – between thousands of different e-commerce, blogging and tweeting sites.

Granted, there are some systems that look almost like a single sign-on, but in fact they are built around one dominant company and a lot of smaller followers. Kind of the ‘Lord of the Rings’ solutions: they rule them all, they are powerless. I do not want to mention the dominant one, but I guess everybody knows anyway.

Trust, trust is desperately missing here. However, there is no universal trust, so that maybe our expectations for a universal single sign-on are unfounded. Maybe we are bound to have several log-in names and several passwords, tokens, cards or whatever the security people will be willing to accept as a proof of our identity.

Some time ago I worked with ‘architectures of trust’. Simply, I expected that the information system must follow and replicate trust that exists between us. It must not require us to trust someone that is not trustworthy. The lack of universal federated identity management systems seem to confirm it.

This entry was posted in technology, trust, trust governance and tagged . Bookmark the permalink.