It seems 2007 will be an interesting year for identity. Currently, it is hard to exist on the internet without managing multiple identities for multiple web sites, often secured with nothing more than a username and password. This is too insecure.
There are numerous initiatives to address this problem. One approach is where an internet giant offers itself as the guardian of your online identity. Yahoo’s Browser-Based Authentication (BBAuth) is an example. When you want to log on to a web site it redirects you to a Yahoo log-in. With your consent, the site can then access specified Yahoo data. Google has made similar moves with its Account Authentication API, and Microsoft, which in 2001 famously proposed and then ditched plans to make its Passport service an internet-wide identity standard, is now re-positioning Passport as Windows Live ID.
Schemes like this have some merit, but they cannot solve the generic problem because nobody wants a single entity to manage everyone’s online identity. The more interesting schemes are those that will allow for multiple identity providers.
One is OpenID, an open-source project, which is simple to implement and allows anyone with a URL to be an identity provider. When you log onto a site that accepts OpenID you authenticate yourself to your OpenID provider, optionally giving permission for the site to access specified personal data. OpenID is in its infancy, but will grow rapidly in 2007 because of widespread grassroots support.
Perhaps surprisingly, the most compelling online identity system comes from Microsoft. Windows CardSpace is a sophisticated system for managing multiple identities. Microsoft provides a user interface, which is part of IE 7, a specification and an API, which is part of the .Net Framework 3.0. When the user needs to log into a web site, a card selection dialog appears. Each card is a security token representing an identity provider and some personal information such as name and address or credit card details. The user selects an appropriate card and sends it to the site, which is then able to retrieve the personal details from the identity provider.
One of the attractions of CardSpace is that it provides its own user interface, instead of asking the user to type credentials into a web page. This makes CardSpace more resistant to phishing attacks. It is also a complete enterprise-ready framework. The snag with CardSpace is that cross-platform, cross-browser support is not well advanced, though there are Java implementations.
In a few years’ time, we will regard web sites that proffer login forms as buggy and insecure. That moment cannot come too soon.
