Technologies for authentication and single sign-on are used for almost all forms of e-commerce. However, companies wanting single sign-on systems must decide whether to keep them in-house or outsource them. They must also consider important issues of security, interoperability and liability.
Major vendors, including Microsoft, AOL Time-Warner and an alliance of companies headed by Sun Microsystems, are currently developing or rolling out authent- ication systems that will enable single sign-on to Web services. And in the future, systems such as Microsoft's Passport, Sun's Liberty Alliance Project and AOL's Magic Carpet promise to go well beyond single sign-on, offering e-businesses not just one-stop authentication but also a way to easily track individual user preferences to personalise online products and services.
Rival systems
However, each of the three vendors is promoting a different, incompatible single sign-on service. For example, the current version of Passport calls for Microsoft to collect, secure and authenticate user sign-on information, while the Liberty Alliance takes a so-called federated approach Ã, meaning that a corporate customer or a third party could control the user information.
The services are not yet designed to share user information with each other. As a result, firms wanting to support single sign-on for the Web must make a decision: they may choose Passport, the only one of the three options currently available; they may wait at least until early next year to see what the Liberty Alliance and AOL have to offer; or they may support all three systems.
Each choice has its advantages and disadvantages. Relatively new e-businesses without many registered users and without much in-house expertise in authentication will be more justified in adopting Passport now, according to experts. But companies with many online customers and the expertise to collect and use consumer information to personalise customer service may want to wait and see what happens.
Source: IT Week
The potential risks and rewards of Passport are the most obvious, because the service is already available. The Liberty Alliance will not have a solution until early next year, too late for some organisations ready to deploy authentication services now. AOL, which is quietly rolling out Magic Carpet across its operations and partner sites, has not yet released details of what sort of Web services it may support.
However, Passport security has already come under attack. Earlier this month, Microsoft was forced to shut down a portion of its Passport Internet Authentication service for two days to address a security breach.
The problem was associated with the Passport wallet service, an option that lets users store credit card and shipping information within their digital IDs. A programmer reportedly devised a way to steal personal information from Passport wallet accounts by sending Hotmail users a message that, once opened, exploits cross-scripting to steal cookies placed into the browser.
Another difficulty for companies is that despite the touted advantages of single sign-on systems such as Passport, some still question whether online customers really want such sign-on services.
A survey by analyst firm Gartner, released in September, indicated that the main reason most existing users registered for Passport was to have access to other Microsoft services, such as Hotmail. Gartner found that over 70 percent of online adult consumers in the US had not signed up for Passport and were unlikely to do so within the next six months. The reason was a lack of value-added services accessible only through Passport.
Most well-established online businesses seem in no hurry to deploy single sign-on systems before there are a number of services to choose from. Sabre, a technology provider to the travel industry, for example, has decided to monitor the progress of the Liberty Alliance as a sponsoring member while postponing any decision regarding the use of Passport. 'Given that we have an established name-space for all of our sites, we have first-mover advantage. So we don't need to be on the bleeding edge of technology and can afford to be followers,' argued Craig Murphy, chief technology officer at Sabre.
Sabre intends to use Sun's Open Network Environment (One) Web services, which will use the Liberty Alliance's sign-on system. Murphy said he chose to participate in the Liberty Alliance because the system being proposed would allow Sabre to use its existing user ID and authorisation systems.
With Liberty Alliance, a user's travel and credit card information could reside in Sabre directories, rather than the directories of a third party Ã, unlike Microsoft's Passport system. But Sabre's identification of the user would still enable the user to be automatically authenticated at any other travel site that participates in the alliance.
However, Murphy was quick to point out that his company was not in an exclusive relationship with the Liberty Alliance. The plan is to participate in all single sign-on solutions that would help Sabre's business, he said. 'We're not picking teams here,' Murphy commented. 'I would like to see enough specificity from all parties to enable us to put up a handful of Web services with authentication and adequate respect for security, privacy, authorisation and whatnot. I am not massively paranoid about data on any enterprise server that is run by a world-class organisation like Microsoft or AOL and will not rule out their single sign-on offerings in the future.'
Support costs
What worries Murphy, however, are the possible difficulties and expense of licensing and managing more than one authentication system. Analysts point out that the use of more than one system would probably involve the use of such technologies as Simple Object Access Protocol (Soap) and XML to integrate companies with each service. And if multiple sign-on systems were used, there would be the expense of multiple licence fees, and firms would need to reserve space on their sites where users of the different sign-on services could log on. In addition, because companies would collect information on users from a number of services, it might be complicated to aggregate customer information.
Sam Patterson, chief executive at ComponentSource, a firm which sells software design tools, shares Murphy's concerns about supporting more than one sign-on system. However, Patterson has decided that it is worth supporting multiple systems, at least until a dominant system emerges. His company is currently offering Passport log-ins while continuing to manage its own authentication system.
ComponentSource rolled out Passport in late May after a survey showed that a large percentage of the company's 500,000 users wanted the service.
When AOL releases its Magic Carpet service, Patterson said he expects his company will also provide AOL sign-in capabilities for customers using AOL, if there is a demand. He will do the same with any solution released by the Liberty Alliance.
'I wouldn't see more than half of our user base using Passport, so we will have to determine if there is customer demand and how we'll manage all these systems,' Patterson said. 'But if our customers ask for Liberty Alliance or for AOL, we'll probably offer those services as well. The thing is, we don't want to support multiple methods of authentication in the long run. We want to write to one interface and rely on one authentication federation.'
However, IT managers cannot count on one dominant single sign-on service emerging soon, or on Microsoft, Sun and AOL all agreeing to allow their systems to interact.
Microsoft has announced it will open Passport to other authentication systems beginning early next year via a federation agreement, essentially allowing other service providers to offer a branded version of Passport to their customers, with guaranteed interoperability with Passports issued by other providers. Microsoft said that Sun and its partners in the Liberty Alliance would be welcome to join the scheme.
However, Sun has so far shown no inclination to act on Microsoft's offer, though it said Microsoft is welcome to join the Liberty Alliance at any time.
AOL has made no comment.
As a result of these developments, many corporate IT managers say they will wait and see what happens. 'Single sign-on is the next wave of the Internet,' said Sabre's Murphy. 'But until we can come to an understanding of how it will all work, firms will need to tread with caution.'
