The Right Tools…
Posted by BPuhl on April 28, 2008
Wow! Just got back from the European Identity Conference, and what an awesome experience. 3 days packed with everything that anyone could ever want about identity management, federation, and governance/compliance. The event is hosted by Kuppinger Cole + Partner, an analyst firm which focuses on identity issues.
One of the things which I found extremely interesting, were the large number of conversations which focused around OpenID. OpenID is a federation-like authentication technology, which allows a user from one domain, to authenticate to resources in another domain (web domains, not AD). OpenID is understood to have some less than stellar security considerations, but at the same time, it’s incredibly easy to implement.
The conversations were interesting though, because they often came back around to the familiar: Needing the right tool for the job.
OpenID is being “marketed” (term used loosely), for being used as a logon convenience for low impact sites, such as blogs. This mostly makes sense, because of someone was malicious and hacked into your blog, it wouldn’t be the end of the world, and the trade-off of not needing to maintain a password is worth the risk. But that’s the key point – THE TRADE-OFF OF CONVENIENCE IS WORTH THE SECURITY RISK.
Many times there were comments or discussions about how to make OpenID “more secure”, or to be able to use it in situations where the impact might be higher and you wanted more security. Well, if you want more security, then you should look at using one of the “more secure” protocols, like SAML or WS-*. The trade-off here though, is that these require much more overhead to implement and manage.
When you’re analyzing tools for a project though, the different authentication protocols (aw heck, let’s toss Kerberos and NTLM in just for fun as well) are not all created equal, all have varying levels of management overhead, security, infrastructure, and ease-of-use which you need to consider.
The good news is that there are a wide variety of technologies available. It’s up to the technical folks to understand the differences, and make the right decisions, so that the users have the right balance of protection and user experience.