Federating to the consumer
In consumer-to-business federation networks, such sites as Facebook, Google and other popular social networks are embracing OpenID and other lighter, more open standards so they can become the identity service providers for their own consumers – and all their non-sensitive online applications, Forrester's Maler says.
Logging in at Facebook, then, would allow users a single click-through to their other applications, so long as those application providers are participating in the federated network and interoperate with the appropriate standards.
While some organisations feel uneasy about using a Facebook or Google account as the primary login for their customers, employees and partners, others are accepting this as the way of the future. For example, the AHA's Chakkarapani says many of his mobile, part-time and younger workforce want to leverage social networking for conducting all forms of business.
“We need to be able to support all types of access in order to achieve the 100 percent adoption of our system that we've achieved,” Chakkarapani says. “Many of our young people will only work in these type of collaborative environments.”
On the other hand, AutoTrader's Gold says he worries about the risk of using social networks as the primary identification service for employee, partner and, ultimately, consumer access. For example, in May, 100,000 Facebook applications enabled the leakage of millions of access tokens to third parties, and there are myriad examples of social networking consumers being phished of their credentials or letting in malware that gets in the middle of properly authenticated communications.
This is why vetting the identity provider is important for organisations considering outsourcing their identity management, says NSTIC's Grant.
“Vendors and service providers are picking up the basics of identity now, doing provisioning and directory services management,” says Grant, whose program has been slotted to receive US$18 million to support identity pilot programs in 2012. “But the tools for governance and compliance aren't there yet.”
At the end of the day, it doesn't matter what the standard is, just as long as the identity ecosystem is working for businesses and consumers, says Patrick Harding, CTO of Ping Identity, an identity security firm. “A CTO doesn't care what standards are involved or if it is federated or not,” he says. “CTO's don't want lots of passwords everywhere, and they want to seamlessly access all of their applications regardless of where they're accessing from or where their applications are hosted.”
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
