Web Identity: Weighing the Alternatives

Computerworld - Suppose an airline wants to give its online customers access to special offers from its hotel and car rental partners, yet spare those users the bother of logging in each time they link to a new password-protected Web site.

The airline also might want to give its employees access to the secure sites of its 401(k) and insurance providers without forcing them to prove their identities multiple times.

Two of the more prominent options the airline might consider are Microsoft Corp.'s Passport service and future systems based on specifications drawn up by the Liberty Alliance Project, an industry consortium with more than 120 members, whose founders include Sun Microsystems Inc., American Express Co. and United Air Lines Inc.

But IT shops might want to carefully assess their choices for single sign-on and user identity management, because both options are in a state of flux and new Web services approaches could alter the landscape even more.

"You really have to have a driving business need to want to do this now, because of the potential for change," says Randy Heffner, an analyst at Cambridge, Mass.-based Giga Information Group Inc.

In July, the Liberty Alliance Project released its specifications for a standards-based mechanism for simplified sign-on and user identity management. But although vendors have promised products based on those specifications, they have yet to produce them.

The second phase of the specifications—which will include guidelines for site-to-site authentication and user-attribute sharing—isn't due until the first half of next year, says Paul Madsen, a member of the Liberty Alliance's technology expert group and manager for identity services at Addison, Texas-based Entrust Inc.

Microsoft's Passport authentication service, which has primarily targeted consumers, relies largely on proprietary protocols that the company made available last month for inspection and development through its shared source code licensing program. But Passport is expected to shift to authentication tokens based on MIT's Kerberos technology and add support for Web services standards next year. That, in turn, has given many in the industry hope that Passport may someday interoperate with Liberty-based authentication and identity management systems.

Core Differences

Currently, the approaches differ. One major distinction is the location where each model stores and maintains user data. Another is the means by which the systems share a user's authentication status information.

Under the Microsoft service, users register either via www.passport.com or a member site that has an agreement with Microsoft. The member site must be running Passport Manager software, which serves as an intermediary between the site's server and the Passport server and helps decrypt incoming cookies.