Google’s New Strong Authentication Service: Adding Bricks to the Federated Identity Foundation

Google's recent announcement of their use of one-time passwords delivered via SMS messages to mobile phones to strengthen authentication to Google Applications is an important on-line security step, but not solely for the reasons you may be thinking. Yes it is nice to have a highly-visible and no extra cost example of the use of multi-factor authentication for mass-scale consumer use. Anything that improves upon userid/password-only authentication schemes is very welcome. Also it is a great and simple example of the use of a mass consumer phenomenon (mobile phone/texting) to help solve a security issue (online identity theft) that is a bane both to consumer and enterprises. However, I hope it will prompt more Web site owners to start asking themselves, "Why am I authenticating my online users when Google (or someone else) will do it for me cheaper and better as a cloud service?"

Taking it one further step, if Google (or someone else) is strongly authenticating users and supporting identity federation (which Google does), maybe Web owners should trust and use the authentication services of these specialized service providers instead of doing it for themselves? This is exactly what happened with the traditional strong authentication in the past. As organizations centralized their access controls to purely on-premise applications with Web access management systems, they simultaneously felt the need to strengthen their authentication to those applications. Strong authentication and centralized access control are closely related concepts. It is only logical as access gets centralized via a single authentication, a logical mitigating control is stronger authentication - which better protects your eggs that are in that one basket. This concept helped birth the one-time password token and the other authentication technologies of the 1990s. This is exactly what is starting to happen on the Web, but of course on Internet scale.

A key economic and security flaw of the Internet today is that every Web-site that processes sensitive data and transactions has to be in the user authentication business. Meaning that they need to conduct some level of identity proofing and credential issuance and management, just for access to their single Web site. This represents direct cost to both the Web site operator as well as the user, through an often poor Web user experience. The system of the future that will be far superior is to have a person have a relatively small number of authenticators, perhaps Google being one of them, and then having that site vouch for them at other sites. Of course all I am talking about is the mass-scale use of federated identity. Those of us in the industry have been preparing the foundations of this new marketplace for many years. Google has just laid down another brick with their deployment of stronger authentication for their massive user-base. There are important industry initiatives, such as the Kantara IAF, that are well underway to help catalyze this fledging federated authentication marketplace by building on the existing federation foundation.

More Here