Where Web Users Go, Personal ID Will Follow

March 2002
By Sharon Berry

Organizations unite to provide one-time sign-on, greater control over proprietary data for customers.

Eighteen companies have formed a consortium to collaborate on redefining how online identities are established, managed and optimized. The group’s members believe that a federated identity approach will enable the next generation of the Internet, which will be characterized by federated commerce. This consumer- and business-friendly concept means that when traveling virtually within a federation of participating goods or service providers, an individual will have to sign on only once and will be able to advance through levels of authentication and authorization without starting the process over at each provider’s electronic gate.

Collectively calling themselves the Liberty Alliance, the founding companies have opened membership to any organization, including nonprofits and government agencies, and 2,000 firms already have expressed interest. They seek to develop interoperability standards and common protocols for managing network identity to implement ubiquitous single sign-on, decentralized authentication, open authorization and security from any Internet-enabled device.

Identity refers to information about an individual that is stored and accessed digitally such as a user name, personal identification number and social security number. It also can include biometric data. For businesses, identity includes information essential to knowing their customers better than their competitors know them. Against the backdrop of September 11, managing identity information is a national security issue.

The Internet’s early generations provided worldwide access and communication as well as the ability to conduct business transactions in a one-on-one fashion. The next era will allow open, federated identity, offering new commerce opportunities and enabling individual users to have a more direct hand in managing their personal data.

The Liberty Alliance initiative has been divided into work on governance, technology, policy and marketing. Corresponding committees have been formed to oversee the technology aspects of the project, ensure security and privacy, and monitor issues relevant to each of these areas.

Because the consortium is still very new—established in September 2001—each one of the subcommittees is trying to determine its piece of the puzzle, says Mark Herring, director of corporate strategy and planning at Sun Microsystems, Palo Alto, California. “The marketing committee is trying to find out what the marketing requirement documents are that describe how to go and do this,” he shares. “There are also technical issues. For example, you need to be able to encrypt the data over the wire, you need to be able to store it, and you need to be able to handle things such as biometric data. The policy team is worried about issues such as child protection. It monitors new policy … and how it plays into our work. They look at what is coming from Capitol Hill.”

According to Herring, Internet identity is a concept that has been around for a while. “People naturally ask, ‘Who can I let onto my site and what can they do?’” he shares. But there are also issues about how to decide which details of a user’s habits should be kept and how they should be used—the personalization versus the privacy side of the discussions, he adds.

Amazon.com was one of the first sites to specialize in personalization and customization using identity. For example, customers can keep wish lists of books and other merchandise they may want to purchase in the future, and patrons can purchase items with the site’s “one-click” method because address and credit card information has been saved. Amazon may also make purchase recommendations based on customers’ buying habits. “We have technology to do this and we have a boatload of it,” Herring notes. “More and more offerings are being pushed out to the Internet, and it is forcing people to look at network identity and define it more clearly.”

Liberty Alliance members asked how they could create a federated network identity based on open standards versus a centralized approach. Alliance members believe that a federated perspective is important because most consumers prefer to administer their own identity, personal profile and personalized configurations. A federated system would prevent any one entity from having a monopoly on someone’s personal information and from charging others for access to it, Herring explains.

“The reason that standards need to be open is clear when you look at Microsoft,” Herring says. “Its Passport technology came along and created network identity that Microsoft owns. All of the data is stored on a Microsoft server at a very secure location, so customers feel pretty comfortable with that. But some customers are asking, ‘What are they going to do with my data? As a consumer, I am worried about it.’”

Microsoft’s model is based on proprietary centralized personal data. It manages all profile information using its own services. “This is great because it is a very simple technology solution,” Herring says. “You’ve got one big server that stores all this stuff. From a technical perspective, we’ve had that ability for a while.” The difference is that while other organizations can subscribe to Microsoft’s service, Microsoft is still the gatekeeper for all of the information. The issue from a consumer perspective is that users might not want certain types of information shared with every organization simply because it is a part of the Passport service.

One of the first questions the consortium must answer is how to federate identity. “This is really why these companies got together around Liberty and formalized an agreement to say they would solve this as a consortium in an open-standards-based manner,” he points out. “The goal is that the Amazon information gets stored at Amazon and the UAL [United Airlines] information gets stored at UAL.”

Each Web entity has or needs access to certain profile information about its users, Herring says. “Sites don’t want to share all of their information, but they would like to make sure it is me they’re interacting with. This means that I can log on my UAL site and establish identity there. Okay, this is Mark Herring and here’s his profile. But then if I move to another site, currently I have to re-log on there. Wouldn’t it be nice if the second site knew it was me but all of my profile information didn’t come across with me, just the information I wanted to share with them such as my address?”

With a federated identity, users would not have to log on each time they visited a different site. Herring continues, “When I move back from that site to Yahoo, wouldn’t it be nice if they could bring my address with me so that the local weather information would be available? But Yahoo doesn’t really need to know information such as my book buying habits. Each one of these entities owns the data about you and they only share the data you want them to share.”

Herring notes that account chaining could achieve this. “When I move from one site to another, the site recognizes that UAL identification number 127 is for Mark Herring and Amazon identification mark.herring is for Mark Herring,” he relates. “There is a way of chaining these things together. Exactly how it will be implemented hasn’t been decided yet.”

Authentication is another consideration. A host of different standards can be used that deal with authentication, Herring relates. “One company may use one method and a second company may use another. To establish my identity at my Yahoo page, all I have to do is put in my user name and password, and that is really simple. But for me to go and access my bank account, they may want to know my mother’s maiden name.”

But authorization is a bigger challenge, Herring says, because standards have not been established. “The question is what can a user do? Can Joe look at the employee records? Can Joe adjust the salary?” he asks. “There are proposed ways of doing this. There is a standard coming out of the Oasis Group. It’s called SAML—Secure Access Markup Language—which is really just a way of bringing XML documents together that define your security tokens and what you can or cannot do. It hasn’t been defined as a standard yet.

“We expect standards to be adopted. But if you’re in an enterprise trying to implement this stuff, you may wonder which standard to use. You may ask if SAML is the way things are going. We are dealing with a lot of mismatches of no standards in one and too many standards in another.”

One of Liberty’s jobs will be to solve the interoperability issues created by too many standards. Herring says the group is going to propose the Über-standard, the standard above all others, to outline how two different standards will interoperate. “We have to make sure that if we’re going to do this in a federated way, these things need to work together,” he says. “We’re not going to solve it by creating yet another standard for identity or authentication. We’re just trying to make the handshake happen.”

Organizations that will use Liberty’s federated identity solution will realize significant cost savings. “They will see lower cost because they don’t have to go through the whole business development effort to hook up with everyone they want to,” Herrings offers. “All they have to do is hook up with Liberty.”

A perk of the new system for individual users may be bonus credits from businesses. Depending on what information they choose to share between the sites, they could earn points or get freebies from participating sites when users complete many of their transactions with Liberty Alliance businesses. Perhaps users would earn frequent flyer miles if they have done a lot of business within the alliance, Herring offers.

When looking at the road map to achieve federated network identity, Herring notes that companies need to prepare for the next era of the Internet by building and implementing solutions from the first two phases of the process—identity infrastructure and identity services. “Federated identity is coming,” he maintains. “There’s a lot to do before that. The people we speak to need to get the identity half in order so they can eventually get to federated identity. If you haven’t done phase one and phase two, you can’t get to phase three. That’s a lot to keep busy with today while we wait for Liberty to develop specifications.” He expects those to be released by May.

Additional information on the Liberty Alliance is available on the World Wide Web at http://www.projectliberty.org.