For years, the notion of federating identities into a single secure identity “ecosystem” to work across multiple applications and entities seemed to gain little traction. That is, until recently, when cloud computing and mobility started placing new demands on access that only a federation could solve.
The reality is, identity federations of hundreds of thousands to millions of business-to-business (b2b) entities are flourishing in the automotive, aerospace, pharmaceutical, government and other sectors. Now, vendors, service providers and enterprises are adopting standards to support single sign-on (SSO) authentication for cloud and mobile access. Meanwhile, Facebook, Google and other social networking giants are poised to become one-stop identity providers for the masses.
“Federation is alive, well and thriving,” says Mark Diodati, research vice president at Gartner. “Most organisations are using federation internally, to connect to partners and to connect disparate security and access systems during mergers and acquisitions. Now, federated identity is about SSO and provisioning to resources in the cloud.”
That is not to say that federation is going to be a walk in the park. Standards – responsible for growing adoption of identity federations – are numerous and confusing, experts say. Yet, to comprehensively prepare for federation, enterprises, cloud service providers, as well as identity services and access management vendors, will all have to consider multiple standards based on their – and their users' – access models.
Another issue is vetting the identities, which brings into question legal issues around privacy, liability and allocation of risk, says Jeremy Grant, program director of the National Strategy for Trusted Identities in Cyberspace (NSTIC), a public-private sector initiative that debuted in April. The agency is charged with creating a trusted, online ecosystem that would designate a single credential to users as a one-time digital password – e.g., software for mobile devices, a smart card or token – to foster secure transactions on the internet.
“There are very large federations out there specific to sectors within the government and in vertical industries,” Grant says, pointing to SAFE BioPharma (a standard used by organisations to verify and manage digital identities), CertiPath (which manages a huge identity federation for the aerospace industry), and InCommon Federation (which supports more than 200 research universities). “The issue is getting identity federation to the next level, which requires a new wave of authentication technologies and rules to govern them that can work in a highly mobile, portable world where smart cards and tokens may not always be the answer.”
For example, he cites phone authentication, which can be used as a third factor for one-time tokens via text message. In addition, the phone itself can be used as the additional factor.
Next: Enterprise federations