Cloud-era authentication infrastructure taking shape

Google, Microsoft, Salesforce, GSMA, UK, welcome final OpenID Connect spec in effort to scale ID services across cloud, mobile
Written by John Fontana, Contributor

The OpenID Foundation Wednesday blessed the final version of OpenID Connect, an authentication protocol that is being called a cornerstone for scalable, standardized identity-based access control across SaaS, mobile apps, enterprise and other resources.

"We now have a protocol that is an official standard," Don Thibeau, executive director of the Open Foundation said.

OpenID Connect (OIDC) is a layer on top of the Internet Engineering Task Force framework OAuth 2.0. The two pieces are part of new-era Internet protocols that use standards such as Representational State Transfer (REST) and JavaScript Object Notation (JSON), which are finding favor with developers and also eliminate the need for enterprises to open ports on their firewalls.

But protocols don't define technology milestones, so the significance of Connect comes in its ability to support single sign-on capabilities that scale across domains, most notably the cloud, that don't rely on a browser, and that extend out to client devices, most notably mobile and native apps installed there.

Of course, the infrastructure and client support around Connect needs to be built, but vendors such as Deutsch Telekom and Google are already working on it, along with a host of others including Microsoft, PayPal, Yahoo, Verizon, Symantec, Salesforce.com, SecureKey and Ping Identity (disclosure: Ping is my employer).

Deutsch Telekom, which adopted the protocol in the middle of last year, converted its largest service to Connect and is making the protocol the foundation of all its authentication connections with its partners.

"OIDC has the right balance of simplicity and security, and is much more powerful in controlling the authentication process," said Torsten Lodderstedt, senior product owner for identity management at Deutsch Telekom.  

A likely scenario that Connect could trigger is the creation of trusted identity hubs across the Internet that would issue to end-users authentication credentials that are valid across sites.

Such a structure would eliminate the need for end-users to create a username and password at each web site they visit. And those web sites could get out of the identity business, which would mean they don't create and store credentials that are being stolen by hackers at an alarming rate, including recent thefts at Comcast and Kickstarter.

"The message to the marketplace is to leave sign-in to the companies that are best able to provide it," said Thibeau.

European mobile operators are poised to work toward that end. Next week, the GSMA, the organizer of this week's Mobile World Congress, plans to announce work on a Connect profile that will ensure identity interoperability between the association's 800 plus mobile operators. The profile will allow the sharing of attributes used to authenticate a particular user, such as mobile number.

In a separate move, the UK plans to roll out a number of Connect-based pilots that will provide citizens with identities for interacting with government services. One of those pilots will involve four mobile operators doing business in the UK. Those operators will explore the business, legal and technical requirements of deploying an identity authentication and authorization service for mobile users.

The UK's Identity Assurance (IDA) program, which was established in Nov. 2011, has the potential to be a marquee example worldwide for creating an identity infrastructure at scale that links consumers and services while incorporating next-generation user interfaces and credentials, and solving back-end challenges such as secure user-data exchange and trust models.

"There are both negative and positive forces driving this," said Thibeau. "The latest breeches are reinforcing the need for new levels of security across the eco-system. Connect represents an important part of the infrastructure for that. It's not a sexy story to sell, but it fosters more security and privacy to the identity ecosystem."

Editorial standards