Liberty Alliance has yet to prove business need, warn analysts

Although security group Liberty Alliance got the backing of a raft of major suppliers last month, the federated identity standard...

Although security group Liberty Alliance got the backing of a raft of major suppliers last month, the federated identity standard it proposes is still in its infancy and has security and business process problems to overcome, analysts have warned.

The Liberty Alliance is a group of more than 150 organisations that are working together to develop single sign-on systems that enable secure business over networks.

Recent new members include Intel, Oracle, Sharp Laboratories of America and several consumer firms. Computer Associates upgraded its member status to sponsor level last month.

The federated identity model potentially allows Liberty members to share electronic identity information on employees and customers so that authorised users can access systems from any location without compromising security. The technology can facilitate e-business and mobile working and cut IT costs.

Graham Titterington, principal analyst at Ovum, said, "The people deploying it are still pioneers, and the implementations are prototypes. In theory, Liberty is pretty sound and well thought out, but it is very complex. A lot will depend on how users implement it."

Titterington said the majority of companies outside the alliance have yet to see a business need for federated identities. "Supply chain automation is still at an early stage, so the notion of automating inter-company processes does not even feature yet," he said.

Titterington also pointed out that many alliance members are IT and telecoms suppliers "with something to gain".

Fran Howarth, practice leader for security at Bloor Research, said the fact that businesses can share user identity data makes the system insecure. "I can see why people are going this way, but you are opening up your networks to your partners. The weakest link is always going to be a problem."

Andy Kellett, senior research analyst at Butler Group, said the Liberty model allows companies to add different levels of security, through the use of multi-factor authentication. "It could use smartcards, or the chip that contains your information might be in your mobile phone," he said.

Microsoft, which is not a Liberty member, has developed its own Passport single sign-on system for users to access its online services, but this does not compete with Liberty.

Microsoft said although it is not currently working with Liberty Alliance, it is working with many of its members, who are also part of standards body Oasis. "We share the same vision. We want something that is agnostic to the technology being used," said Stuart Okin Microsoft UK's chief security officer.

Kellett said the two organisations are doing different things with single sign-on. "When Passport came along, it was really just a way of securing your identity on a one-shop basis. Liberty has evolved more on the big business side," he said.

Titterington said, "Passport is a very different animal - it is a managed service, whereas Liberty is a standards organisation. Passport is glorified single sign-on, and, frankly, I am not sure many people would trust Microsoft with their personal information."

Read more on IT risk management