The Liberty Alliance Project has finally unveiled the technical
specifications that will allow Web users to log in once and shop
securely at various online sites without multiple sign-ins.
The new specs will provide services that will make it easier and
more secure for online shoppers and companies to make multiple
purchases online.
Among the key features of the new specifications are:
- Opt-in account linking. Allows users to choose to link accounts
they have with different sites or companies, as long as the
services agree to work together.
- Simplified sign-on for linked accounts. After those accounts
are linked, the user can log in and authenticate at one linked
account and navigate to another linked account without having to
log in again.
- Authentication context. Will allow institutions or companies
that provide linked user accounts to communicate the type of
authentication required at the user's login.
- Global logout. Will log out a user at all sites at once while
maintaining a live session.
Founded last September, the Liberty Alliance Project promised to
create technical specifications that would permit single sign-on
and decentralised authentication based on openly available
technologies. The initiative created an alternative to Microsoft's
Passport system, which authenticates only users who access sites
that support Passport.
Companies such as Sun Microsystems, Nokia, MasterCard and American
Express are members of Liberty Alliance and expressed their support
of the specifications.
The specification is based around protocols such as Security
Assertion Markup Language (SAML).
Liberty's specifications are intended to remove some of the burden
for users as they traverse multiple Web sites to do transactions,
said Paul Madsen, strategic product manager for identity services
at Liberty Alliance member Entrust, and a member of the Liberty
technology group.
He said he anticipated interoperability between Liberty and
Microsoft's Passport. Users of Passport could authenticate to a
Liberty provider, he said.
According to the alliance, Version 1.0 specifications do not
involve exchange of personal information, but provide a format for
exchanging authentication information between companies to protect
user identities. Uses include business-to-consumer commerce,
business-to-business commerce, and enterprise-to-employee
applications.
To prevent multiple transactions of a user from being correlated
with a user's actual identity, version 1.0 features "pseudonymity",
in which the actions of an individual will not be tied together.
This prevents businesses from colluding to find out more about a
user and prevent hackers from accessing user information, Madsen
said. A user is protected by a randomly generated stream of code
acting as a pseudonym to enable the user to interact between two
Web sites.
"The benefit of that is, the user's privacy is protected," Madsen
said.
James Kobielus, senior analyst at the Burton Group said, "Users
will be able to optionally link - and de-link - their accounts, so
as to reduce the number of times they need to enter user IDs and
passwords when transacting business across one or more "federated"
or affiliated organisations.
"The principal shortcomings of the Liberty Alliance 1.0
specifications is that they are new, unproven in the field, rely on
the still immature but promising SAML 1.0 standard, and leave many
complex technical integration details to be worked out by
organisations that implement Liberty-enabled account linking,"
Kobielus said.
Meanwhile, in response to the Liberty Alliance announcement,
Microsoft said it is taking a broader approach to network identity
management, according to Adam Sohn, product manager for .net
platform strategy.
Microsoft plans to support a variety of network security standards
in addition to SAML, which is at the core of the Liberty Alliance
specification. Those additional technologies include public key
infrastructure (PKI) and Kerberos, Sohn said.
Microsoft said that development of the WS-Security specification
would play a more important role in authenticating user credentials
on the Internet than the Liberty Alliance specification.
"[Liberty Alliance] is solving a slightly more narrow problem than
WS-Security," Sohn said.
"We think there needs to be a general-purpose architecture for
identity management that can support lots of security types," Sohn
said. "SAML assertions are one type. We don't think you can just
pick one and enforce it across the world. Different customers have
different needs."