Bell Labs Takes Stab at True Single Sign-On

A new online authentication technology developed by researchers at Lucent Technologies Inc.'s Bell Labs could finally make true single sign-on in the enterprise a reality.

A new online authentication technology developed by researchers at Lucent Technologies Inc.s Bell Labs could finally make true single sign-on in the enterprise a reality. In addition, it has the potential to add tighter security to similar sign-on efforts by the Liberty Alliance Project and Microsoft Corp.

The software, called Factotum, is unique in that all user credentials are stored on the network, allowing users to access them as needed via PCs or other devices. No user names and passwords are stored on client machines.

While Bell Labs developers said they dont intend for Factotum to compete with Microsofts Passport or solutions built on the Liberty Alliance specification, the software has features and functions that make it a compelling complementary technology.

"There are quite a few pieces that could be relevant," said Eric Grosse, director of networked computing research at Bell Labs, in Murray Hills, N.J. "Theyre solving a slightly different problem than we are."

Originally written for Bell Labs Plan 9 operating system, Factotum is easily ported to other platforms, including Windows, Solaris, Linux and Unix, according to the researchers.

The software comprises two pieces, Secure Store and Factotum. To set up the services, users type into Secure Store the various user names and passwords for the Web sites they frequent. This data is protected through Advanced Encryption Standard and is then stored on the network.

To retrieve this data, users enter a password in the Factotum software that runs on their client machines. Using a new protocol Bell Labs developed called Password Authenticated Key Exchange, the software retrieves the requested key from the network.

Once on the users machine, the keys are stored in RAM, rather than on the hard drive, and are deleted as soon as the machine is switched off.

"What has struck me as interesting and unique about the whole deal is the approach to security where there is no root," said David Nicol, professor of computer science at Dartmouth College, in Hanover, N.H., and director of research and development at Dartmouths Institute for Security Technology Studies.

In the new approach, Nicol said, a user has rights to modify keys, but no one else. "The user delegates his rights to an agent," he said.

Bell Labs made the software available for free download last week. The company has no plans to sell the software.

"The main thing is we have a scheme that doesnt require massive deployment," Grosse said. "You could deploy it on the department level and move on incrementally from there."

Security insiders see Factotum as a good first step.

"The underlying concepts are very useful," said Arvind Krishna, vice president of security products at IBMs Tivoli Software group, in Austin, Texas. "Like storing keys only in RAM, using strong cryptography. But they need to get to the next level and populate the Web sites with the user information."

Liberty Alliance members plan to use the Liberty specification to create a trust system that gives users the ability to share their identity information with multiple Web sites without having to log in to each one separately.

Liberty officials, however, were noncommittal.

"It is important to work to ensure interoperability ... in the areas of network identity and Web services," a Liberty Alliance spokesman said.