When discussing today’s identity solutions you’ll hear the following protocols and solutions bandied about: Facebook’s Graph API, oAuth, OpenIDConnect, xAuth, SAML, RESTful, and FIDO Alliance. After decades of trying, the world of pervasive identities is finally coming within reach. On many web sites, you can use your Facebook, Twitter, or favorite oAuth- or xAuth-enabled SSO logon to authenticate. There are still interoperability problems, but those barriers are coming down fast.
Today, you can use your password, phone, digital certificates, biometric identity, two-factor authentication (2FA), or multi-factor authentication (MFA) SSO solution to logon to a myriad of sites. Each identity can have different “attributes” or “claims” associated with it, be associated with one or more trusted devices, have different assurance levels, and be used on different sites of your choosing.
Of course, right now, we don’t have universally accepted SSO that works at all sites, but we’re getting closer. And now that we are closer, I’m almost certain we don’t really want it.
There is a distinct need for most of us to have multiple identities tied to different things. For example, most of us have work and personal accounts. My work wants the ability to retain all my work-related content at all times and even has the ability to immediately erase all work content if they terminate my employment. At the same time, I don’t want my work admins having access to my personal content browsing history on my home computer. I don’t want my personal documents somehow ending up on my work computer and vice-versa, which does sometimes happen today with our more pervasive global identities. I remember how surprised I was when my wife plugged her iPod into my work computer to charge and suddenly her iTunes had copies of my work documents.
Perfect single identity
In my perfect world, it would be great if I had a single, global identity that had different “personas”, such as “Work Roger” and “Home Roger”, that I could apply in different use case scenarios and that would be sure to keep the different content and resources separate. It will probably work that way in the future, but we are not quite there yet.
Doesn’t a single sign-on open up more risk?
You may be wondering if having a single, unifying identity (or even just fewer, but more pervasive identities), means that a single identity compromise will lead to a worse set of consequences due to the single failure. After all, isn’t using a single identity sign-on a lot like using a single password for all your web sites? Have we gone full circle just to end up with the same problems?
Yes and no, and mostly no if you do the right thing.
Sign up for CIO Asia eNewsletters.