Group building bridge between identity, strong authentication standards

Focus is on enterprises, service providers mixing and matching standardized identity and access controls
Written by John Fontana, Contributor

For years, open standards have been the focal point of creating an identity and access control environment that can scale to the size of the ever-growing Internet.

Separate consortia and alliances have tackled specific parts of this equation be it single sign-on or strong authentication. This week, the OpenID Foundation announced during a face-to-face workshop in Mountain View, Calif., a new effort to create a protocol so two-factor authentication standards can easily combine with the group's OpenID Connect standard, a single sign-on and identity profile mechanism built on the Internet Engineering Task Force's authorization standard, OAuth 2.0.

The significance is that enterprises and online service providers could mix-and-match these standardized technologies in various ways to meet identity and access control needs based on specific use cases that range from protecting sensitive data to securely logging into corporate and cloud-based applications.

Identity, much like other technologies, is built on a "stack" of defined features and operations. These pieces include identity proofing, user management, strong authentication, federation and single sign-on.

The OpenID Foundation's new Strong Authentication Protocol working group will come together in a few weeks and focus on developing a simple connector that will create a bridge for incorporating strong authentication. The simple connector, however, will leave strong authentication management to developers of those protocols, namely the FIDO Alliance.

"It's a very modest connector, we see great value in doing small modest things," said Don Thibeau, executive director of the OpenID Foundation. "The goal is to make OpenID Connect more accessible to FIDO and vice versa. We're keeping this simple and making the complex possible." The connector is not specific to FIDO and will work with other strong authentication schemes.

Thibeau said when users log into a service provider, which has OpenID Connect-based authentication deployed, the connector allows the provider to invoke a policy that requests a user perform a specific task, such as using a two-factor authentication token.

"This allows the FIDO community to build on OpenID Connect, which is already adopted by billions of people," said Thibeau. The FIDO community also has grown a substantial user base and membership, and the two groups seem to be a natural fit within the identity "stack."

Many of the same companies and end-user organizations, including Microsoft and Google, are members of both efforts as they modernize and expand their identity and access control capabilities.

"We are seeing a clear preferences and requirements for open standards," said Thibeau. "The indicator is when large organizations like the U.S. government come to our workshops. Here, for the first time, we have government standards platforms engaging with the private sector on its terms. This is new for them."

Case in point, the OpenID Foundation has a new working group called iGov, whose initial participants include 10 governments.

"It's a rare occurrence to have all these architects comparing designs," says Thibeau. "They do it because they have to, because they have to interoperate."

Editorial standards