A Tale of Two Single-sign On Initiatives
By Valerie Thompson, Thu Dec 06 00:00:00 GMT 2001

Neither Liberty Alliance or Microsoft is holding all the answers right now.

The Internet industry has been struggling for years to find the online equivalent of the signature as a way to legally identify someone accessing a web site or making an online purchase. So far, the most popular solution has been to give users identification codes and passwords. The result is that each user has up to a dozen, maybe more, of such passwords.

The idea of enabling a user to log in once to a trusted third party, which would give her or him the ability to move between sites without having to enter all the information required each time, has been floating around for a while without a great deal of acceptance by users.

Who do you trust?

The single sign-on is supposed to make life easier since only one password, login, and profile need to be remembered and maintained. But no single company will ever be able to sign up all Internet users, says common sense. With its Passport/Hailstorm solution for consumer and business users, Microsoft believes that since its software is used by the majority of people to access the web it is the right party to offer a single-sign.

Microsoft plans to charge portals, shops, and any other web services company every single time a user accesses their sites or shops using Microsoft's single-sign on system.

For the rest of the world, those who do not access the web using Microsoft's software, such as the millions of Unix, and Linux users, as well as the formidable number of expected Internet users who will be coming in over mobile communications networks, there is Liberty Alliance.

Just this week the AOL/Netscape contingent, which also numbers in the millions, announced it would join the Liberty Alliance's efforts, lending the Liberty Alliance growing cross industry support.

"A broad spectrum of support is critical since single sign-on is a foundational issue that touches a wide range of technologies and enterprises, including digital certificate vendors, wireless service providers, web infrastructure software, and so on," points out Randy Heffner of Giga Information Group in a memo or IdeaByte to corporate customers.

Missing from the single sign on playing field are Ericsson, IBM, Oracle, Yahoo, and SAP, to name a few.

Besides giants of the mobile and online world, the Liberty Alliance has some industrial partners, such as General Motors and American Airlines, suggesting the types of ad-hoc networks a single sign on could be carried over, from in-car mobile support services to frequent flyer loyalty services.

AOL's investment of $100 million in Amazon.com is perceived by analysts as tactic to improve its online-identification technology, a solution that is known as Magic Carpet. An AOL spokesperson announces that AOL would continue to develop its own identification system but would share programming expertise with Liberty Alliance partners ensure the systems are compatible.

In addition, Nokia also has working authentication support in its new Open Mobile Architecture that it attempts to license to other mobile phone manufacturers.

The fact that these two are continuing work on their own solutions suggests that a layer or module of interoperability is to be added. Even Microsoft has said that it will "interoperate" with other systems. This would suggest a new protocol, rather than a new specification.

After analyzing what technical and commercial information is available about the two competing camps, Heffner concludes the each of the contenders have only half an answer to the question of user identification and single sign on. Liberty Alliance has the advantage of industry support, but it lacks a working solution to examine next to Microsoft's Passport. Microsoft has a technical solution but lacks cross-industry support, trust, and it is not clear how it will address the wireless world.

Liberty Alliance: liberty from what?

The members of the Liberty Alliance number about 33, including Sun Microsystems, Apache Software Group, AOL/Netscape, NTT DoCoMo, Bank of America, ebay, Real Networks, Nokia and RSA Security. Its goal to "develop and deploy an open solution for network identity" and to provide a "federated solution for network identity - enabling ubiquitous single sign-on, decentralized authentication and open authorization".

A federated solution means that individuals, groups, organizations, applications and devices each have a unique identity that can be used across various online services, sites, and destinations after checking in at a trusted party's site belonging to any one of those in the federation.

The Liberty Alliance says it will deliver a technical specification sometime next summer. "We've got a technical working group in place expect to publish the standard in 6 to 9 months," says Lewis of RSA Security, a Liberty charter member. The time it would take to get one of the standards boards to approve and ratify the standard has to be added to this timeline.

"There are active meetings and the constitution and voting rules have been formed. Several technology sub-committees or working groups have also been created," says insider Ian Walker, the Technical Director for Entrust EMEA, a founding member of the Liberty Project.

Liberty Alliance talks about its "Liberty standard" being an "open standard". However, there is no mention of the eventual standard being submitted to any standards governing body. When asked about that, RSA's Lewis told TheFeature, please refer to it as a specification.

The completion of the charter signing was supposed to take place within 45 days of the September 26th announcement, according to various press releases issued by the Liberty founders and now more than 65 days have passed since then. Jason Lewis of RSA Security mentioned in a telephone interview that RSA is a charter member as it signed the document last week.

Any lost time on the side of Liberty Alliance increases the risk that the coalition might fail.

Microsoft's passport to nowhere

Reacting to mounting legal and industry criticism, Microsoft is now saying it will alter its Passport authentication system to interoperate with similar services from competing companies. The company even announced plans to consider handing over management of the system to a "federated" group made up of rivals and corporate partners, according to trade publications.

Since Liberty's announcement, Microsoft has been doing some major marketing, announcing last week its new plan to become a source of knowledge and information on Internet privacy and security, beginning with a public survey of users' privacy needs.

Trust and Microsoft are words not often put together these days. Most recently serious security flaws caused Microsoft to disable the virtual wallet function of its Passport service and it had to notify partners about the vulnerabilities.

The bugs in Passport were brought to the attention of the press when last month Marc Slemko, a software developer and Linux promoter who lives near Microsoft's Redmond, Washington, headquarters. He was able to very easily hack into the identity and user information stored in the Passport system. (Slemko is a founding member of the Apache Software Foundation, which is also listed as a potential charter member of the Liberty Alliance.)

Slemko sent Wired News a specially crafted but innocent-looking e-mail. Moments after the e-mail was viewed using Microsoft's Hotmail Web-based e-mail service, Slemko was able to tell the journalist over the phone the credit card number and contact information from the user's Passport wallet. He did it by exploiting browser bugs and flaws in Passport's authentication system.

What Microsoft has is a huge user base, both corporate and consumer. Passport is integrated into its new XP operating system. But what Microsoft desperately needs to work on is increasing the level of thrust in the public hearts and minds.

Privacy concerns must be addressed

Privacy advocates and security professionals know the risks of the single sign-on. Last year, researchers at AT&T published a paper that observed that Microsoft's single sign-on service "carries significant risks to users".

Storing such information in a single spot increases the risks for identity theft and invasion of privacy. The Liberty Alliance has still not stated how exactly privacy will be protected and users will be protected from the electronic equivalent of junk mail and other forms of obnoxious advertising, not to mention how personal information will be protected.

"If history has shown us anything, it's that the best protection lies in decentralizing power and promoting competition. We need to take the same approach to our digital identities and make sure that who and what we are is not held captive by a single entity," writes Whitfield Diffie, one of the inventors of public-key cryptography in an editorial in a Sun Microsystems in-house publication.

When we flocked to the Internet, it was not just because the browser offered nifty graphics, it was because of the Internet's openness. Users abandoned proprietary Compuserve, Minitel, and AOL networks, with their single-sign on solution (remember members could access any the vendor within the network without having to login each time and pay directly on the monthly bill), for the Web and its wide open access to information and eventually free commerce too.

So, will most Internet users be very happy about giving the likes of AOL, Microsoft, Sun Microsystems, Nokia, or NTT DoCoMo more access to their personal information and consumer behavior?

Withhold your judgment

The federated solutions proposed by the Liberty Alliance and now apparently supported by Microsoft look set to win the day. Security experts and researchers working on secure cooperation topics in the labs are increasingly favoring a multi-partysecure protocol, which could be the way that the Liberty Alliance is headed.

In a project seeking the best solution for electronic election in the context of e-government, a group of researchers at the Federal Technical University in Zurich have successfully developed multi-party computation protocols that do away with the need for a trusted party, that are efficient, and modular. Traditionally, such protocols tend to be very "complicated and weird" say the researchers, but the recent progress suggests that there is a way forward with a solution that addresses privacy, enables authentication for both sides (user and commercial organization), and keeps the whole thing open and expandable.

Judgment day still isn't here, though. We'll have to wait for the so-called 'federated alliance' to deliver a concrete, implementable technology before drawing any conclusions.

Valerie Thompson is a freelance business and technology journalist, specialized in emerging networking and computing topics. She lives in Zurich, Switzerland.