Author: Yogi Schulz
Web surfers are becoming more and more frustrated trying to manage their identity at more and more web sites. Surfers are paranoid that they risk having their identity hijacked.
These issues are threatening to undermine our e-Business goals. What should we be thinking about, as enterprise systemsdesigners, to address these frustrations and fears?
Too many user ids
Our identity becomes progressively more widely known as we create user id and password combinations at the web sites where we like to surf and want to do business. For example, as consumers, many of us have user ids for WestJet, Chapters Indigo, eBay, L. L. Bean and at least one bank to name a few. As an information technology consultant, I have user ids for IBM, Microsoft, Oracle and Sun among others. As this list grows, we become more and more frustrated trying to remember and manage all this clutter.
As system designers, we need to make it easy for surfers to retrieve their forgotten passwords. This feature eliminates a lot of trivial calls from your call center. I like web sites that mail the password to the registered user.
Microsoft Passport
Microsoft was the first organization to offer a solution to this problem through its Passport authentication service. Passport is anonline service that makes it possible for us to use our e-mail address and a single password to sign in to any Passport-participating web site or service.
Adoption of Passport authentication service has not been as universal as Microsoft envisioned because of various uncertainties. The Federal Trade Commission in the United States expressed concerns about the adequacy of security and privacy protection at Passport. Microsoft has addressed many of these concerns. Perhaps more importantly, many business owners are fearful that Microsoft would be able to insert itself into the relationship between the business and its valued customers through the Passport service.
Liberty Alliance
In response to misgivings about the Passport service, a large number of businesses including United Airlines, American Express, MasterCard and General Motors formed the Liberty Alliance at the urging of Sun Microsystems. The Liberty Alliance has published a specification for a federated authentication service that does not rely on a central authority like Passport. Mr. Gordon Sissons, the Vice President of Technology at Sun Microsystems Canada, expects that “the Liberty Alliance will create an open market for identity that removes the current lack of trust inhibitor and spurs growth in e-commerce”. The Liberty Alliance published its specification in the summer of 2002 and has followed up with the Final 1.1 Specification in January 2003. The members of the Liberty Alliance can be expected to implement the specification quickly, so that in a year or so, we will be offered another way to avoid user id and password overload.
Conclusions
As systems designers, we need to follow the development of these services and incorporate them into our e-Business strategy as they gain maturity. In the mean time, we need to make sure our web site design strikes the right balance between ease of access and fraud deterrence.
If you’d like to receive references for the technology of identity management, please send me an e-mail.
References/Resources:
Identity ManagementMicrosoft Passport
www.passport.com
Microsoft’s Agreement with the Federal Trade Commission on Passport
www.microsoft.com/presspass/features/2002/aug02/08-08passport.asp
.NET Passport Integration with the Microsoft Mobile Internet Toolkit
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnmitta/html/MMITPassport.asp
Liberty Alliance Project
www.projectliberty.org
Sun releases Liberty Alliance tool
http://news.com.com/2100-1001-958526.html
Phaos releases Liberty Alliance developer toolkit
http://www.phaos.com
Relevant Articles
Microsoft Hailstorm and Passport Assessment and Opinion
http://www.go-mono.com/passport.html
Risks of the Passport Single Signon Protocol
http://avirubin.com/passport.html
Identity Theft Resources
Identity Theft Resource Center
www.idtheftcenter.org
Privacy Commissioner of Canada
www.privcom.gc.ca/fs-fi/02_05_d_10_e.asp
Privacy Rights Clearinghouse
www.privacyrights.org
RCMP – Identity Theft
www.rcmp-grc.gc.ca/scams/identity.htm
United States Federal Trade Commission
www.consumer.gov/idtheft
Consumer Sentinel
www.consumer.gov/sentinel
ID Theft: When Bad Things Happen To Your Good Name
www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
