The Identity Wars
In the battle for customers for single sign-on identity services, it appears to be Microsoft against everybody else.
When it comes to identity, e-commerce can still be an ad hoc and redundant exercise. In dealing with different vendors, most customers have to repeatedly register by entering relevant "identity" data like address, phone and credit-card numbers to make purchases at different sites. Single sign-on identity services that allow customers to use one account, password and interface to access affiliated Web sites greatly improve customer convenience and permit vendors to use that data for personalized customer service and affinity marketing. Most identity services are gestating still, which may be why Gartner Inc. findings suggest most consumers don't believe more convenience is a fair trade for potential risks to their data privacy and possibly bothersome online solicitations from vendors. Nonetheless, Gartner believes identity services will flourish because they will be embedded into operating systems, the Internet and other services that consumers will not be able to avoid using.
Microsoft's .NET Passport single sign-on identity service is the longest functioning one to date. AOL recently launched its Magic Carpet identity service and other major e-tailors like Amazon.com have announced their intention of doing so. But, for obvious reasons, Sun Microsystems and other vendors are promoting alternatives via The Liberty Alliance. The Alliance is a consortium of vendors cooperating to create an open identity standard and API, which will enable the members that launch their own services to interoperate—though not with .NET Passport, unless Microsoft joins the Alliance down the road. For instance, AOL's Magic Carpet will eventually conform to the Alliance standard once it's created. If other online businesses in the Alliance, like American Express, launch compatible services, customers will have single sign-on access to a combined vendor base.
While selling single sign-on licenses to major online businesses like Starbucks is new revenue for Microsoft, winning customers away from competing vendors like Sun and AOL is the ultimate goal. If all cardholders of a major credit-card company use one vendor's single sign-on service, they become cross-sell candidates for that vendor's other products. They also become members of a community to which all businesses affiliated with the service can potentially market and sell. The advantage of an alliance of vendors is that it potentially expands the potential for affinity marketing to customers of all members of the alliance. So businesses tend to be behind the movement because it stands to grow their sales.
While customers eventually benefit by greater sign-on convenience and vendor choice, and vendors benefit from an increased b-to-c market, a common identity system also benefits the longer term development of a Web services "cloud" for faster, cheaper and more flexible b-to-b e-business. This is the real cherry in the chocolate-covered cherry of identity services.
Most Web services today work alone, perform simple tasks, providers securely maintain lists of authorized users, and users authenticate themselves using IDs and passwords. In two years, though, Web services networks and other developments will foster the use of complex, recombinant services from different providers. Users will not want to have to re-authenticate themselves as they move between discrete services within a larger process comprised of different Web services. That security mechanism should work for any Web service from any business with which a user interacts.
For example, the identity service, or any number of other companies—affiliated merchants or third-party service providers—could maintain the user's identity data. The Web service would call the identity service at runtime to authenticate a user and as the user activates related Web services, the identity service might pass a token to transparently authenticate the user.
The problem with multiple-vendor identity services, however, is interoperability. For competitive differentiation, Microsoft may persist in offering a service that's not compatible with Liberty Alliance members' services. So if companies want customers of both services to buy their products, the companies will have to buy licenses for both. This creates extra cost, management and technology integration for vendor members who want to reach both users of .NET Passport and an Alliance member's service.
Microsoft, however, still "claims" .NET Passport is already open because it supports the Kerberos standard. In fact, Microsoft has tweaked the standard to favor its own service so it's really only "sort of open." But many feel that this technical hurdle is not the real wedge between Microsoft and other services. The problem is more about Microsoft's business ethos—if another service requests a customer's identity data, will Microsoft provide all of it? If it comes to that, only time will tell.
So enterprises that want a single sign-on identity service must sign up for .NET Passport now, commit to a Liberty Alliance-compliant service like AOL later this year, or support multiple identity services.
Because .NET Passport is the only "operating" service and The Liberty Alliance promises an "open" spec. for future services, we compare the working service to the standards coalition strategy in several high-level areas. We'll leave it to readers to decide which approach is most suitable to them.
Liberty Alliance/.NET Passport Breakdown
Business Track Record
- In operation as identity service since 1999
- Founded September 2001 as a loose vendor consortium to create an identity standard and API; first version of standard due around March 2002
Number of Users
- Vendor charter members represent potentially over a billion network identities—AOL's Magic Carpet has 30 million accounts but, though in the Alliance, can't conform to its incomplete standard as of yet
- .NET Passport is a core piece of Microsoft's .NET online services architecture
- As of March 2001 Microsoft will "federate" both .NET Passport and .NET My Services (its Web services program) so that users can single sign-on to both (so federation is among those Microsoft applications)
- Customers have access only to vendors licensing .NET Passport, and vendors have access only to customers registered with .NET Passport
- Vendors get identity data only with permission of customer
- Users sign up for .NET Passport when they register with Hotmail or MSN.com or they can sign up from participating Passport vendor sites
- Is creating an open identity standard and API for single sign-on identity services with decentralized authentication and open authorization from multiple providers
- Will enable "federated identity" so any Alliance member's identity service is compatible with any other member's service and identity data is controlled by multiple parties—so businesses can maintain ownership of their customer directories or shop the data out to a trusted third-party service provider like an ASP
.NET Passport appeals to:
- Newer and smaller e-businesses without many registered users and without much in-house expertise in authentication—Microsoft manages all identity operations so affiliated partners need know nothing about identity technology
- Smaller e-businesses that can attract Passport users more easily than they could users of other identity services—200 million users already run Passport and can access the affiliated e-businesses via it
- Smaller e-business Passport users that will trust a major online presence like Microsoft more than a less-experienced e-tailer with their identity data
Liberty Alliance appeals to:
- Established online businesses with large online customer bases and the expertise to collect and use consumer information for personalization, etc.
- Large e-tailers that can afford to take a wait-and-see approach and choose the best service when enough are operating
- Large e-tailers that want to use their existing user ID and authorization systems to save time, money and trouble
- Large e-tailers that want to keep identity data in their own directories for better sense of security
- Relatively proprietary (if a vendor or customer uses a Liberty Alliance identity service, they cannot access .NET Passport customers or vendors)
- All .NET Passport customer identity data is maintained and controlled by Microsoft
- Microsoft has not published the XML vocabulary for Passport, nor have they published a Web service API that allows any Web service to use Passport to authenticate users
- Microsoft sells those formats and protocols—to set up a Web service that uses Passport as an identity service, customers have to license the Passport development kit and pay to access the service at runtime
- Only Microsoft can operate a Passport service—support for Kerberos v5.0 means customers can let Passport access their internal user management systems to retrieve user identity information IF the system supports Kerberos v5.0
- All customer identity data is NOT maintained and controlled by one central company—each service in the Alliance controls its customers' data but can share it with other services in the Alliance
- Federation is nonproprietary within the Alliance (if a vendor or customer uses a Liberty Alliance identity service, they can access customers and vendors in any other identity service offered by a member of the Alliance but cannot access .NET Passport customers or vendors)
- List of members of the Liberty Alliance Project: www.projectliberty.org/about/faq.html
- Many of the members have existing identity mechanisms that they can convert to commercial identity services—or are offering identity services—and large enough customer bases to successfully compete with Microsoft. AOL's Magic Carpet, for instance, pulls about 30 million user IDs from its AOL, AOL Instant Messenger and CompuServe 2000 accounts.
- Microsoft has experienced documented security breaches of Passport—see Passport home page (www.passport.com) FAQs for explanation of security procedures
- Because Microsoft centrally controls all identity data, a successful hacker can conceivably get access to all of it
- Because Alliance identity data is controlled in subsets of customers of each identity service within the Alliance, a successful hacker can conceivably get access only to a subset of data
- Will draw users of:
- Online service: MSN.com and Hotmail.com
- Operating System: Windows XP
- Web services: Hailstorm
- Will draw users of:
- Online Service: AOL and services that compete with MSN.com
- Operating System: Non-Windows platforms
- Web services: other than Hailstorm, from vendors like IBM, BEA, Oracle and Sun
Maintaining One or Multiple Services
- Licensing and managing Passport and another identity system (for vendors not affiliated with Passport) would be expensive (multiple licenses) and create complications for members (for instance, enterprises would need to create different interfaces for each service).
- Members are more likely to be able to use just Liberty because of its broad reach and affiliations
- New identity services like AOL's are more likely to join Liberty anyway.
John Harney is President of ASPWatch, a consultancy that delivers market, partner and technology strategy for ASPs and author of Application Service ProvidersA Manager's Guide (Addison-Wesley).