Taking on Digital IDs

Vendors' diverse single-sign-on services forcing tough decisions.

Imagine this: a consumer surfing the Internet logs on to the Travelocity.com site and books a vacation. The consumer then jumps to your site to book or check the status of an order. Having already been authenticated on the Travelocity site, the user is automatically logged on. Free from the need to remember and enter a new user name and password, the consumer commences to spend money.

Too good to be true? Maybe not. Major vendors, including Microsoft Corp., AOL Time-Warner Inc. and an alliance of companies headed by Sun Microsystems Inc. are rolling out Web-based authentication systems that will enable just that kind of single-sign-on ease of use. Whats more, systems such as Microsofts Passport, Suns Liberty Alliance Project and AOLs Magic Carpet promise eventually to go well beyond single sign-on, offering e-businesses not just one-stop authentication but also a way to easily track individual user preferences in order to personalize online products and services.

Thats the good news. The bad news? Each of those offerings promotes different, incompatible single-sign-on services. For example, the current version of Passport calls for Microsoft to collect, secure and authenticate user sign-on information, while the Liberty Alliance takes a so-called federated approach, meaning that the enterprise or a third party could control the user information. Neither service, at this point, would share user information.

As a result, enterprises interested in taking advantage of single sign-on for the Web must make a decision: Jump now onto Passport, the only one of the three currently available; wait at least until early next year to see what the Liberty Alliance and AOL have to offer; or decide to support any and all approaches. Each choice carries its own potential risks, and which your enterprise should select depends on several factors, experts say. Relatively new e-businesses without many registered users and without much in-house expertise in authentication will be more justified in embracing Passport now, according to experts. But enterprises with large online customer bases and the expertise to collect and use consumer information for personalization may want to take a wait-and-see approach.

The potential risks and rewards of embracing Passport are the most obvious, largely because its the only Web-based single-sign-on service currently available. The Liberty Alliance wont have a solution on the table until early next year, too late for some organizations ready to deploy authentication services now. And AOL, which is quietly rolling out Magic Carpet across its properties and partner sites, hasnt even released specifics on what sort of Web services may come out of the corporation.

Already, however, Passport security has come under attack. Earlier this month, Microsoft was forced to shut down a portion of its Passport Internet Authentication service for 48 hours to address a security breach. The problem was associated with the Passport wallet service, an option that allows users to store credit card and shipping information within their digital IDs. A programmer reportedly devised a way to steal personal information from Passport wallet accounts by sending Hotmail users a message that, once opened, relies on cross-scripting to steal cookies placed into the browser.

At the same time, despite the touted advantages of single-sign-on systems such as Passport, questions remain as to whether online customers really want any part of them. A survey by Gartner Inc., of Stamford, Conn., released in September found that 8 million Passport users said the main reason they registered was to have access to other Microsoft services, such as Hotmail e-mail. And, Gartner said, more than 70 percent of online adult U.S. consumers had not signed up for Passport and were highly unlikely to do so within the next six months. Why? A lack of value-added services accessible only through Passport.

But the security breach and concerns about user acceptance have not stopped some executives such as Rob Wight, CEO of Youknowbest.com Inc., in Celebration, Fla., from opting for Passport now. The main benefit, Wight said, is the ability to easily attract Passport users and, eventually, to customize services using online customer profiles. The company rolled out a beta of its consumer shopping service, Mylist.com, early this month. The service is built on Microsofts .Net framework and uses Passport to provide single sign-on as well as e-mail alerts.

Youknowbest.com, which provides businesses and manufacturers of consumer goods with pricing and shipping data, began notifying its thousands of users earlier this year that they would need to have a Passport ID to continue using any of the sites services, including Mylist. So far, no users have complained about having to register information—such as their password and e-mail address—with Microsoft, Wight said.

When Youknowbest.com began developing a universal shopping list service, the company realized it would need to develop an infrastructure that would allow it to identify a user and his or her preferences to provide a personalized service. For example, Wight wanted to be able to give customers online alerts when products they were interested in became available on a given site.

Now, when a user visits Youknowbest. coms service, located at www.mylist.com, he or she must click on a co-branded Passport button to log in. The user then authenticates to Microsoft-hosted servers, which set time-sensitive, Triple DES (Data Encryption Standard)-encrypted cookies on the users system. These cookies can be read only by Youknowbest.com using a key shared with Microsoft.

"By going with Passport, our users dont have to decide whether or not they want to trust Youknowbest with their private information. We dont have to know a damn thing about them now," Wight said. "No doubt we will lose some customers who will object to using Passport, but millions of people already trust Microsoft with their information [on services such as Hotmail], and there is a large potential customer base for us to work with."

Unlike youknowbest.com, however, larger, more well-established online businesses seem to be in no hurry to deploy Internet single-sign-on services before there are a number of services to choose from. Sabre Inc., for example, has decided to monitor the progress of the Liberty Alliance as a sponsoring member while postponing any decision to use Passport.

"Given that we already have an established name space for all of our Web sites, we have first-mover advantage. As such, we dont need to be on the bleeding edge and can afford to be slow-moving followers," said Craig Murphy, chief technology officer of Sabre.

Sabre plans to use Suns Sun Open Network Environment, or Sun ONE, Web services, which will make use of Libertys sign-on system. But Murphy said he chose to participate in the Liberty Alliance because the system being proposed is distributed and would allow Sabre to use its existing user ID and authorization systems.

Under the Liberty Alliance approach, a users travel and credit card information could reside in Sabre directories, not a third partys such as Microsofts. Sabres identification of the user would enable him or her to be automatically authenticated at any other travel service sites that participate in the alliance.

At the same time, Murphy is quick to point out that his company is not in an exclusive relationship with the Liberty Alliance. The plan, he said, is to participate in all single-sign-on solutions that make sense.

"Were not picking teams here," Murphy said. "I would like to see enough specificity from all parties to enable us to put up a handful of Web services with authentication and adequate respect for security, privacy, authorization and whatnot. I am not massively paranoid about data on any enterprise server that is run by a world-class organization like Microsoft or AOL and will not rule out their offerings in the future."

What concerns Murphy, however, is the idea of licensing and managing more than one authentication system. Managing more than one single-sign-on system, experts say, would not only be expensive, it would also involve the use of such technologies as Simple Object Access Protocol and XML to integrate the enterprise with each service. In addition, there would be the added expense of single-sign-on-service license fees. On top of that, enterprises would need to reserve space on their sites where users of the different sign-on services would log on. In addition, because the enterprise would be collecting information on users from a number of services, it could be complicated to aggregate customer information.

Sam Patterson, CEO at ComponentSource Inc., in Atlanta, shares Murphys concerns about supporting more than one sign-on system. Still, thats exactly what Patterson plans to do, at least until a dominant system emerges. ComponentSource, which sells software design tools, is currently offering Passport log-ins while continuing to manage its own authentication system.

The company rolled out Passport in late May after a survey showed that a large percentage of the companys user base of 500,000 requested the service.

When AOL releases its Magic Carpet service, Patterson said he expects his company will also provide AOL sign-in capabilities for those customers using AOL, if there is a demand. He will do the same with any solution released by the Liberty Alliance.

"I wouldnt see more than half of our user base using Passport, so we will have to determine if there is customer demand and how well manage all these systems, but if our customers ask for Liberty Alliance or for AOL, well probably offer those services as well," Patterson said.

"Thing is, we dont want to support multiple methods of authentication in the long run," Patterson said. "We want to write to one interface and rely on one authentication federation."

IT managers shouldnt count on one dominant single-sign-on service emerging soon, or on Microsoft, Sun and AOL agreeing to allow their systems to interact.

Microsoft, of Redmond, Wash., has announced it will open Passport to other authentication systems beginning early next year via a federation agreement, essentially allowing other service providers to offer a branded version of Passport to their customers, with guaranteed interoperability between Passports issued from other providers, including Sun and its partners in Liberty.

Sun, however, has so far shown no inclination to act on Microsofts offer, and the Mountain View, Calif., company said Microsoft has an open invitation to join the Liberty Alliance at any time.

AOL, of Reston, Va., had no comment.

As a result, IT managers at large enterprises say theyll wait and watch.

"Single sign-on is the next wave of the Internet," Murphy said. "But until we can come to an understanding of how it will all work, enterprises will need to tread with caution."