The Web Confronts Its Identity Crisis


The rapid adoption of the Internet as a conduit of vital information -- for e-commerce and in business-to-business uses -- has created a big problem that the industry has been grappling with for a few years: People have too many passwords. The corollary problem is that the more passwords that are floating around, the more ways online scoundrels have to trick and defraud people.


The good news is that there are several efforts to address the situation. The bad news is that these efforts, while not necessarily directly competitive -- indeed, there seems to be a good deal of cooperation -- have created a confusing and fragmented landscape.


Last week, Microsoft, Oracle, PayPal, Novell, Equifax and 15 lesser-known companies announced the formation of the Information Card Forum. The goal is to create cards that people can use instead of passwords to enter sites. Dark Reading reports that the ICF is willing to work with organizations and consortia in the field such as OpenID and the Liberty Alliance.


OpenID, which offers a method by which a person can use one password to log onto all participating sites, is perhaps the highest-profile effort aimed at this problem. Last week, Clickpass said that it introduced a method by which people can use Google, Facebook, Yahoo or Hotmail passwords to enter any site within the Clickpass universe. This Washington Post story describes Clickpass' approach. The writer adds that the companies whose passwords Clickpass is using probably will come up with their own version of the system. This, he says, will pose a big problem for the firm.


The issue of secure cross-company single sign-on is being addressed by some of the heaviest hitters in the industry. This, of course, is a good thing. As the recognition of the problem grows, the pressure toward working through the technology and financial thickets and developing one solution also grows. Earlier this year, Google, IBM, Microsoft, VeriSign and Yahoo joined the board of OpenID. The presence of Microsoft both on the board and in ICF is a good sign. Redmond also has its own internal project, code-named Info Card.


Making life easier for consumers is a big part of the effort. A related and just as vital initiative is aimed at enabling companies that are working together or have some other deep relationship to allow employees the ability to perform tasks on each other's sites without going through repetitious log-on procedures.This is generally referred to as federated identity.


One of the groups working to improve federated identity procedures is The Liberty Alliance. Last week, the Alliance released two specifications. The Identity Assurance Framework is a four-level set of criteria that each company in a federated identity arrangement must follow. The Identity Governance Framework helps participating companies meet regulatory requirements for using, managing and protecting identity information, the story says.


It is an understatement to say that this general area is confusing. The complexity of the effort to create a single framework for federated identities and single sign-on access for Web users is evident in this interview that I did in March with Brett McDowell, executive director of the Liberty Alliance. The best chance for quickly aligning all the efforts seems to be the Concordia Project, a consortia aimed at harmonizing the various initiatives into a single framework.