Hackers, standards and non-profits: A trinity to rescue Internet identity?

Identity on the Internet is in need of an overhaul. Are forces coming together to start the revolution or are traditional foils such as trust still too much to overcome?
Written by John Fontana, Contributor

A spark with the potential to redefine identity on the Internet could come as early as this summer at the confluence of two promising identity standards, the unifying efforts of an international non-profit industry organization, and recent high-profile hacker thefts of millions of passwords.

The pieces in this puzzle are the OpenID Foundation (OIDF), the group's nearly finalized OpenID Connect specification, and OAuth 2.0, an authentication/authorization standard making its way through the Internet Engineering Task Force (IETF).

Aiding the standards work and OIDF efforts is an avalanche of hacks that have angered tens of millions of online consumers whose passwords were stolen from the databases of sites such as Zappos, Sony, Gawker, and rootkit.com.

Also helping the cause are an army of consumers collecting more passwords than they can manage wisely, and a steady stream of media on the wide-spread use and danger of weak passwords - such as Password and 123456.

The ultimate goal, which is likely years away, is an identity layer for the Internet that is distributed, decentralized, federated, and safeguards consumers' credentials while providing secure access to data and applications from any device.

"Anytime you try to move consumer behavior, otherwise known as adoption, you need to have everything lined up at the same time," says Don Thibeau, executive director of the OpenID Foundation. "I think we are at the beginning of that."

Standing in the way of success, however, are two formidable and familiar challenges - creating trust and showing consumers value in such a layer.

And the alignment for change is missing a critical mass of web site operators, software-as-a-service providers, and online consumers willing to adopt roles in a federated system that has passwords in its cross hairs.

That mass won't be easy to rally.

The Mozilla Foundation has created a distributed identity architecture called BrowserID, and while the technology is slick, the lack of participation by e-mail providers, tasked with validating user identities, is proving to be a major gating factor to possible widespread adoption.

Since last year, the OpenID Foundation has been addressing a similar fate by moving away from pure technology development and adding outreach to adopters.

"We think we have good solutions and now we are trying to convince Web site operators to get out of the password management business," said Eric Sachs, senior product manager for identity at Google, which is a Foundation sponsor.

The goal is to get Web sites to commit to become relying parties (RP), sites that accept identities issued by another entity. Those entities are called identity providers (IDP) and today they are mostly companies with massive user populations such as Facebook, Google, Yahoo and Microsoft.

But without an army of RPs, building an identity system that could trump passwords is difficult if not impossible.

The Foundation is hosting a workshop, sponsored by Google and Microsoft, on March 28 in London to educate potential RPs around the two standards, and a log-in user interface they can build into their web sites called Account Chooser. Response was so high that last week a new venue had to be found to accommodate the overflow.

"Changing the whole model of how the user logs in is tough, that is why there is Chooser," said one identity architect with a global service provider not based in the Valley.

The alignment of OAuth 2.0 and OpenID Connect along with pending standardization represents progress from earlier iterations of the protocols criticized for suspect security.

Both have new capabilities with OAuth 2.0 finally incorporating signed structured tokens and OpenID Connect adding security mechanisms for higher assurance authentication.

Both protocols could be finalized within weeks of each other this summer. The IETF is in the last rounds of review before OAuth 2.0 is blessed, and OpenID Connect, which is built on top of OAuth, is in an Implementer's Draft that is being field tested.

Both protocols align with the Internet trend toward simple, light and functional - including standards such as Representational State Transfer (REST) and JavaScript Object Notation (JSON) - as opposed to heavy and highly architected standards.

OAuth is being adopted by the likes of AT&T to secure its APIs for developers and by IBM to help secure interactions among its social networking applications.

OAuth and OpenID Connect also combine in important ways. OAuth secures the sharing of arbitrary data between Web sites or between devices and Web sites, but OAuth does not directly provide any sort of identity layer. OpenID Connect adds single sign-on and user profile sharing to authorize the user's client.

Both are decentralized, which means no single credential repository like the one that doomed Microsoft's Passport. Both employ browser re-directs to orchestrate the authentication process but leverage back-channel API calls for direct sharing.

And current adopters of the technology such as Facebook, Microsoft, Yahoo, Google, and AOL are already offering some form of multi-factor authentication, such as a code sent to a mobile phone.

"We are all experimenting with other things that we can use to make that one master key more strongly protected," said Google's Sachs.

Google is working with mobile provider Verizon, attribute exchange service ID/Dataweb, and trust framework provider Open Identity Exchange (OIX) on something they call  Street Identity.

The plan defines a loosely-coupled legion of "providers" that supply, for a small fee and with user consent, pieces of data they know about their users - such as street address, age and/or mobile phone number. Those "attributes" are used to more accurately validate that user's identity.

Despite all the standards, recruitment efforts and other work in progress, there are two issues that could derail the entire alignment: trust and value.

Both Facebook and Google are embroiled in privacy debates that could leave many consumers leery of trusting either as caretaker of the keys to their Internet kingdoms. Microsoft's Passport miscue is still hampering its IDP efforts.

Consumers may demand other IDPs - a specialized company or a hub like Covisint, which supplies IDP services to the automotive and health care industries.

On the value side, consumers need a clear picture of what's in it for them.

"Convenience is the only pull now," says Ian Glazer, research director in the identities and privacy group at Gartner.  "There hasn't been a value prop anyone has been able to express, there is no relying party saying we will withhold services until you use credentials of a certain strength."

Glazer acknowledges that the piece parts of future Internet identity are coming together, but what's missing is the golden spike that ties it all together.

"I'm still not seeing the killer app that is only unlocked by these capabilities and technologies. I still think that is years away. "

OIDF's Thibeau is pragmatic but optimistic that the world is ready for a change based on all the new faces he sees.

"My leading indicators are that when I go to a conference or an OpenID event am I seeing new faces, and that is starting to happen," he says. "So we think the shift is happening and people are saying I better do something."

If the stars align, he could be right.

Disclaimer: One of my employer's technical architects is a corporate board member of the OpenID Foundation

See also:

Editorial standards