Many enterprises still struggle to keep passwords under control, even with single-sign-on technology. Innovation means new services, and each new service tends to come with its own password. Even though most of those web services are likely to be SaaS, enforcing strict password policy over all these third-party services can be difficult.
Enter a new approach: federated identity. Instead of each service having its own password database, they can rely on an identity provider to run authentication for them. Many web services now support public identity providers. So, why aren’t we all using them today?
First, cost. Public identity providers need to make money. Large organisations can run their own identity provider instead, if this makes business sense. It is the same technology underneath.
Second, trust. Organisations may feel uncomfortable with relying on a third-party service for authentication. It’s not just a question of security; identity providers need to be highly resilient – you can’t let a failure deny all access to your systems. Again, this can be a reason to run your own identity provider.
Third, the protocols and standards are still evolving. Even though security assertion mark-up language (SAML) has been around for more than a decade, the auxiliary protocols such as OAuth are still being standardized. Meanwhile, cryptography continues to advance. These protocols need reworking to include more secure algorithms. This means that you can’t just assume that everything will work together – although interoperability is improving all the time.
The fourth issue is more fundamental. You don’t want to have to manage two separate worlds for authentication: one with federated identity, and the other with existing enterprise logon. That would lead to a poor user experience, and gaps in accountability and auditing – a particular concern if some of your users are partners or contractors. To link these two worlds, you need federation-fluent gateways and services, like Citrix NetScaler Unified Gateway and XenApp/XenDesktop Federated Authentication Services.
One last point: everyone knows why passwords aren’t a good way to authenticate – people reuse them and they can be stolen. A future password replacement such as fingerprint authentication has to rely technically on some form of federated authentication. A world in which passwords disappear is the same world of federated authentication—a better world all round.