Search This Blog

Thursday, December 6, 2007

Federating Identity for the Web

Federated identity has long been a goal of many IT organizations.
Empowering one organization to serve as an identity provider for
another frees IT from having to manage the identities of partnering
organizations' employees and customers, thereby facilitating the
pursuit of competitive-advantage projects. In this era of increasing
enterprise decentralization, thanks in large part to the Web,
establishing a federated identity framework is fast proving as
essential as it is hard to pull off. "user-centric identity" is a
new approach to federation that has gained momentum as of late. Two
technologies in particular have emerged to catch the attention of
organizations looking to accelerate their federation efforts: CardSpace,
a standard developed by Microsoft to provide a comprehensive solution
to user-centric identity problems; and OpenID, a lightweight standard
that's the result of the work of multiple companies to create
identities based on URLs. CardSpace is built on standards such as
WS-Trust, Secure Token Service, and WS-Security. As a result,
CardSpace benefits from the public security reviews of these standards.
And because both CardSpace and OpenID are open architectures, thorough
security reviews of each are possible. The biggest threat to individuals
is the so-called 'social engineering' that any identity system allows.
Of these, phishing poses the biggest threat at present, and OpenID,
like any Web-based authentication scheme, is especially vulnerable.
CardSpace's identity selector was invented specifically to foil
phishing and related attacks. Moreover, CardSpace's rigid insistence
on a consistent user experience reduces the diverse authentication
contexts users face when tapping Web-based authentication technologies,
thereby increasing the likelihood that they will recognize something
out of the ordinary when asked for credentials.

No comments: