The Year In Identity, 2013 Edition

It's December, and that makes it a good time to look back on 2013 to summarize some of the year's high and low points in the identity field. I've also included some remarks from an interview with Ping Identity's CEO Andre Durand on the state of identity today, and where it's going.

 

Identity at the Center

Probably the biggest identity-related trend this year has been the increased recognition of the central role that identity plays in all the digital work we do today—and how weak identity architectures make us ever more vulnerable. Web-based services (aka cloud), mobile apps, and a general rise in Internet-connected devices of all kinds (aka the Internet of Things) demonstrate the importance of identity in determining how to use them securely.

 

Identity standards are in place to make this adoption easier. But true to Metcalfe's Law, a standard's usefulness is proportional to the square of the number of entities that actually use it. Translation: You can build it, but it ain't much good if they don't come. The OAuth 2.0 and OpenID Connect standards have continued their rapid rise in popularity, filling a desperate need for mobile-friendly identity and security. (OAuth 2.0 is an "authorization-centric," flexible protocol that also supports authentication, and OpenID Connect is a relatively simple identity layer built on top of OAuth 2.0.) Despite predictions of its demise, the venerable SAML protocol is widely in use and isn't going away any time soon. 

 

Standards for user provisioning—which is the lifecycle management of users at a cloud service provider (e.g., Office 365) by the identity provider (your company)—are moving slowly forward. Rather, I should say "standard for user provisioning," because there is really only one user provisioning standard that's making any headway this year. System for Cross-domain Identity Management (SCIM) has moved slowly forward in standards committees (version 1.1 is the most current), but the important metric is whether anyone is actually using it (Metcalfe's Law again). It is being adopted, but rather slowly. So, businesses continue to surge ahead with either proprietary provisioning engines or none at all.

 

Durand agrees that a standardized identity layer for the Internet is moving closer to completion. It will most likely use OAuth 2.0 and OpenID Connect for authorization and authentication, and SCIM for identity provisioning. His analogy for this identity layer is that of DHCP and DNS. "DHCP's ability to automatically assign a unique identifer—an IP address—to a device makes it discoverable on the network.  DNS's name-to-IP-address resolution capability made it possible for humans to easily work with the devices. In the same way, we need to make identities on the network immediately and automatically available on the network without having to do a lot of the plumbing. We don't think about what DHCP is doing; we just know we're on the network."

 

Another plus this year has been the increasing acceptance of multi-factor authentication (MFA). This important branch of authentication and security relies on not only what you know (a password) but what you have (a PIN). The wide acceptance of SMS as a communications medium has made this possible, as pretty much anyone who might need secure access to a website has a mobile phone of one kind or another. The popularity of smartphones, which in the next few years will represent virtually all of the mobile phone market in the most developed countries, also allows mobile apps to be used for MFA. Google or Microsoft Authenticator generates one-time passwords for logon, and the new iPhone 5S has an integrated fingerprint reader. The FIDO Alliance seeks to make all kinds of MFA easier through a standard set of mechanisms instead of the proprietary ones we have today. Over the next couple of years, I expect to see a wide variety of biometric devices built in to mobile devices; it'll become one more decision point when you're looking at your next mobile device.

 

Since I'm talking about MFA, let me just say that I'm happy to have it, but if you're any kind of a connected person, it gets tedious very quickly. It's simple math. I'm not sure how many Internet-connected devices the average American owns, but I use five on a more-or-less daily basis. On four of them, I run at least two browsers. I have MFA set up on five websites (as best I can remember). That's (4*2+1)*5 = 54 possible interactions between a browser and an MFA site. The first time you set up a session between these, you must provide a PIN to the site, typically sent as a text message to your phone. To add to the fun, the session cookie for many of these sites expires after 30 days, so you must re-authenticate. And if you're on an Internet-connected flight, a PIN code by text (rather than from an authenticator mobile app) won't reach you, so you're out of luck.

 

Identity management as a service (IDaaS) continues to gain popularity, and you should seriously consider it when you're looking for Internet SSO solutions. Importantly, Microsoft unveiled Windows Azure Active Directory to general availability in April, mentioning that the platform already had 2.9 million businesses, governments, and schools using it. The company proceeded to add capabilities (MFA, a third-party SSO portal) as fast as it could, and I'm sure it isn't done yet. In a few short months, Azure AD transformed itself from a "What is it?" product to an IDaaS offering that will be a force to be reckoned with. 

 

Durand sees IDaaS as the second of three overlapping trends in identity, each in different phases of maturity. The first, most mature trend is federation. "Federation is not going away; it's an integral part of connecting. On-premises identity bridges will be around for a while, but management of these bridges will move to the cloud." Durand feels that the second, IDaaS, is the next-generation identity and access management platform. 

 

The third and least mature trend is outsourced identity. Also known as portable identity, it turns our current identity model—separate work and consumer identities—on its head. In outsourced identity, you have a single identity that you attach to different scenarios. The most common example today is in the consumer space, where you have an account from a commercial identity provider such as Facebook, Google, Yahoo!, or Microsoft, and use that account to log on to other web services such as Tripit. You retain your original identity and extend it to other web services. The emerging scenario is using this consumer account as a work account as well. A consumer account doesn't have the identity proofing (e.g., Social Security, driver's license) that an enterprise requires, so additional layers of authentication (step-up AuthN) are added to make the identity usable. When the employee leaves the company, the extra layers are removed and he or she moves on with the original identity.

 

Microsoft expanded the identity capabilities of its on-premises products this year as well. Active Directory Domain Services (aka the AD in your data center) and especially Active Directory Federation Services (AD FS) have been enhanced in Windows Server 2012 R2 to accept a lightweight join of mobile devices to the corporate domain, enabling several flexible authentication/authentication scenarios that weren't previously possible.

 

On the downside, the bad guys haven't slowed down at all. And though the debate rages on whether the National Security Agency (NSA) is the bad guy, the Snowden revelations of how deeply NSA has penetrated our digital lives have generated rage, distrust, and a general pullback from the overall movement to the cloud. The National Strategy for Trusted Identities in Cyberspace (NSTIC), the government-sponsored (but privately driven) development of an identity ecosystem to raise the overall security of Internet transactions, has been making slow but solid progess; it surely must be battered by this watershed moment in surveillance exposure.

 

In the cyber attacks department, the big news in 2012 was the Adobe security breach that compromised 2.9 million users' credit card and other personal information. It doesn't matter how many factors the website authentication scheme has if a well-crafted phishing email message opens the back door. 

 

Finally, passwords haven't gone away yet. As with the notion of flying cars, we're all still waiting for that to happen.

 

Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.