Latest Liberty Alliance specs allow users to log on once and shop securely

The Liberty Alliance Project has finally unveiled the technical specifications that will allow Web users to log in once and shop...

The Liberty Alliance Project has finally unveiled the technical specifications that will allow Web users to log in once and shop securely at various online sites without multiple sign-ins.

The new specs will provide services that will make it easier and more secure for online shoppers and companies to make multiple purchases online.

Among the key features of the new specifications are:

  • Opt-in account linking. Allows users to choose to link accounts they have with different sites or companies, as long as the services agree to work together.

  • Simplified sign-on for linked accounts. After those accounts are linked, the user can log in and authenticate at one linked account and navigate to another linked account without having to log in again.

  • Authentication context. Will allow institutions or companies that provide linked user accounts to communicate the type of authentication required at the user's login.

  • Global logout. Will log out a user at all sites at once while maintaining a live session.

Founded last September, the Liberty Alliance Project promised to create technical specifications that would permit single sign-on and decentralised authentication based on openly available technologies. The initiative created an alternative to Microsoft's Passport system, which authenticates only users who access sites that support Passport.

Companies such as Sun Microsystems, Nokia, MasterCard and American Express are members of Liberty Alliance and expressed their support of the specifications.

The specification is based around protocols such as Security Assertion Markup Language (SAML).

Liberty's specifications are intended to remove some of the burden for users as they traverse multiple Web sites to do transactions, said Paul Madsen, strategic product manager for identity services at Liberty Alliance member Entrust, and a member of the Liberty technology group.

He said he anticipated interoperability between Liberty and Microsoft's Passport. Users of Passport could authenticate to a Liberty provider, he said.

According to the alliance, Version 1.0 specifications do not involve exchange of personal information, but provide a format for exchanging authentication information between companies to protect user identities. Uses include business-to-consumer commerce, business-to-business commerce, and enterprise-to-employee applications.

To prevent multiple transactions of a user from being correlated with a user's actual identity, version 1.0 features "pseudonymity", in which the actions of an individual will not be tied together.

This prevents businesses from colluding to find out more about a user and prevent hackers from accessing user information, Madsen said. A user is protected by a randomly generated stream of code acting as a pseudonym to enable the user to interact between two Web sites.

"The benefit of that is, the user's privacy is protected," Madsen said.

James Kobielus, senior analyst at the Burton Group said, "Users will be able to optionally link - and de-link - their accounts, so as to reduce the number of times they need to enter user IDs and passwords when transacting business across one or more "federated" or affiliated organisations.

"The principal shortcomings of the Liberty Alliance 1.0 specifications is that they are new, unproven in the field, rely on the still immature but promising SAML 1.0 standard, and leave many complex technical integration details to be worked out by organisations that implement Liberty-enabled account linking," Kobielus said.

Meanwhile, in response to the Liberty Alliance announcement, Microsoft said it is taking a broader approach to network identity management, according to Adam Sohn, product manager for .net platform strategy.

Microsoft plans to support a variety of network security standards in addition to SAML, which is at the core of the Liberty Alliance specification. Those additional technologies include public key infrastructure (PKI) and Kerberos, Sohn said.

Microsoft said that development of the WS-Security specification would play a more important role in authenticating user credentials on the Internet than the Liberty Alliance specification.

"[Liberty Alliance] is solving a slightly more narrow problem than WS-Security," Sohn said.

"We think there needs to be a general-purpose architecture for identity management that can support lots of security types," Sohn said. "SAML assertions are one type. We don't think you can just pick one and enforce it across the world. Different customers have different needs."

Read more on IT risk management