Single Sign-on, Identity Management & Trust

Thank God for tabs and password management in Firefox. Open right now in my browser are several services I use daily: my Vonage dashboard, Gmail, Typepad, Newsgator, Newsvine, Feedburner, Blue Host (my web site host), Pandora and a few others (and don’t even get me started on the 15 or so newspapers and magazines that require their “free” registration!). Each require credentials (username and password) in order to use these web services and Firefox can store them for me so I don’t have to remember these and dozens of other combinations.

Password management has become a running joke.

My solution to managing personal credentials is my own unique password generation scheme…but most people that I know use the same username and password across all the web sites they use (including their bank, brokerage, eBay, etc.). This is a huge problem since discovery of one combination would provide a black hat hacker with the key (or at least an idea about how you set ’em up) to a wide range of sites as well as the user’s privacy.

We desperately need a better way…especially as web applications continue to explode and more of our computing life is online.

Single sign-on has been the business mandate (and Holy Grail) of the Information Technology organizations in companies for several years…especially as browser-based web applications have exploded within organizations. Having one sign-on for you and I to then have access to all consumable web sites, web applications and services would be great, wouldn’t it?

There’s a problem. Who *are* you and I?

Identity management is a critical key component of enabling single sign-on and access to many online offerings — and determining who the person is actually using them. The Liberty Alliance is a promising, cooperative industry group trying to tackle this issue head-on. One aspect of the Trusted Computing initiative is to minimize fraudulent use of a computerized system or device, but facilitating identity management is fraught with peril (someone steals your laptop, knows your credentials, and can easily spoof systems telling them that it’s you).

The last part of the problem I’m seeing is one that not many people are talking about: it is one of simple trust (or the lack thereof). From NSA performing domestic surveillance and a history of it in the Federal government to security expert Steve Gibson’s report that there is a “back door” Microsoft put in to Windows for who-knows-what reason (though Microsoft denied it just like they did back in 1999), it makes a guy wonder if the government or even a cross-industry alliance could be trusted?

If the Web is to truly live up to the potential we all know it could (online voting, more commerce, human relationships) then single sign-on, identity management and especially trust need to be figured out.