Friday, March 28, 2008

Federated Authentication: Creating Identity over the Web

I'm fairly certain that most of you have received an email that peaked your interest about a new Web service or application. It might be something that your bank is offering or perhaps a way to track your physical fitness routine online. So you visit the site. And what's the first thing you're asked to do?

Create a unique user name and password.

Personally, the incentive must be pretty high to get me to do this. I'm already managing this kind of information for scores of different Web sites and services. Why must I do it yet again?

Well, you shouldn't have to. And times are changing fast. Very fast. And museums need to be aware of what's happening and prepare. Today.

If you're as old as I am, you remember when your bank made its first ATM available. You could withdraw cash from a machine placed outside the bank! Within a very short time, you found that you could withdraw cash from an ATM at any of your bank's branches. And before long, banks were establishing trusted networks so that you could withdraw cash from nearly any bank world wide. This is what is happening on the Web. Organizations are getting together, working out standards and establishing trusted relationships.

Before too long, you will have a single identity on the Web and will be recognized no matter what service you access.

The National Institutes of Health (NIH) is leading one such effort. Last fall, they held a "Federated Authentication" Town Hall meeting. Federated authentication allows staff to collaborate with colleagues from diverse universities and organizations across the world.

In simple terms, it works like this. John Doe from the NIH may wish to collaborate with Mary Buck at the Center for Disease Control (CDC). The NIH and the CDC have both joined a "trusted" network. That is, the NIH and the CDC have each agreed to trust the other organization to authenticate its own staff. This means that if Mary wants to access resources on John's network, John simply needs to let his network know which resources Mary is being given permission to access. When Mary tries to access those resources, John's network asks Mary's network to authenticate her. Once authenticated, John's network then opens up access to the permitted resources.

The key point is that Mary doesn't need a separate userid and password to access John's network. She uses her CDC credentials. The CDC authenticates her and the NIH gives her access to permitted resources.

This example illustrates the start of a very, very important trend.

Someday, you will always be connected to the resources that help you do your job and lead your life. Your mobile phone will likely be the device that facilitates this initially. You will need to move seamlessly from one network to another. You'll need access to the varied resources that exist on different networks. Each of these networks and resources will know who you are and what your preferences are. You'll have access to the tools you need to do your job and you'll have access to information that helps you manage your life. Looking for a restaurant in a strange city? The local networks will recognize you and your preferences. It will know where you're located and alert you to the location of your favorite eateries as well as a little cafe that your mother ate at last month...

Facilitating collaboration between research staff at two different museums or with a university is the start. For more information on one approach, please visit the InCommon Federation. If you're aware of similar collaborations in the museum community, please post a comment here!


Anonymous said...

Yes and when Mary gives her password to Fred so he can look deal with her email while she is on holiday Fred has access to John's network without anyone at John's workplace knowing anything about it!

Anonymous said...

Does this mean I'll be charged $2.50 to use an out-of-my-network website? Oh wait..this isn't the net neutrality post.

Jim Angus said...

>Yes and when Mary gives her password
>to Fred so he can look deal with her
>email while she is on holiday Fred has
>access to John's network without anyone
>at John's workplace knowing anything
>about it!

That's true now. You don't need federated authentication to violate security policies!

Bruce Falk said...

I love this concept, and have taken it up as a tangent to my blog comment about trusted authorities.

Anonymous said...

Of course security policies are routinely violated in the majority of work places. The problem with Federated Authentication is that any violation of a security policy or other breach of security has a much wider effect.

richard cooney said...

Here is an example how federated authentication has been implemented over a network of hospitals in Europe:
Securing highly data collections