Back Again!

Its a been a while getting used to a new city and new organization. Well consulting has its own owes of travelling but its fun to meet new people and expand ones network. And now that I’m doing something more close to my heart – information security.

For the past few days, I’ve been trying to catch up with my reading and the blogrolls I follow. And there is a lot catching up…

Few things happened in the IAM world in the past few months, well other than the very important fact that I moved to a new position as a consultant, there have been a few new initiatives. One of those that I find interesting is Liberty Identity Assurance Framework . This is an attempt to formulate an Identity Trust service framework for the authentication especially in terms of federation. The framework is based partly on the e-Authentication Partnership (EAP) and the US E-Authentication Federation. This is being delivered by the Identity Assurance Expert Group of the alliance. They are focused on creating on ‘a framework of baseline policies, business rules, and commercial terms against which identity trust services can be assessed and evaluated’.

The IAF in its first version 1.1 presents a concept of assurance levels – which defines the degree to which the relying party (RP) would be confident of the electronic identity of the information that the Identity Provider presents to it. The framework presents four levels – 1 through 4 which correspond to 1 for little or no confidence, 2 for some confidence, 3 for High Confidence and 4 for a Very High Confidence in the asserted identities validity. It also defines these levels to a rationalized set of potential impact of the authentication errors. It also presented a Service Assessment Criteria which define the requirement for attaining these levels.

So this looks to be a positive step towards Identity Services especially in the SaaS domain. Albeit we will have to wait to see that open source solutions built around it and the framework remains vendor neutral.

The Password Conundrum

Sounds somewhat familiar right! Well most of us have this dillema everyday… I dont think I have to hire a ghost writer to write this puzzling story for me… My daily email vocab should be good enough to express the challenge we face everyday as we try to remember more and more passwords!

The First Login: Your System!
Imagine getting up in the morning on the 31st morning and trying to login into your system after a few failed attempts because you were forced to change the password after the mandetory 72 days you set for yourself…

The Second Login: Your eMail Account!
Wheather you want to check your personal email or official ones, you need to login somewhere. Even setting up your POP or IMAP accounts need you to have your passwords set in the outlook or netscape! So if unluckily you changed that too, you know there is another one little messy thing in the secret note you keep in your wallet!

The Second Login: Your bank account!
… then trying to login into your bank account to check if your salary was posted and you changed that too hurriedly to sync it up with your system password and then realized that the online site doesnot allow silly passwords and you end up setting up a super secret sleazy password! You mostly forgot it because it had to be a special character and you dont know what you chose. So you want to mail it to you… Grrrrr now this is bank site, its extra secure and you have to provide a primary and secondary ID to get the password mailed to you.
May be you were success full and had it mailed… but now you don’t remember which mail id you registered with! OMG! that is a tough one! So you frantically search through your old emails and finally recover it…

Well I am kind of scared about the whole scenario and wanted to end it there… but you know it very well that this is not the end of it… there is always one more to remember and one more to change each day!

The best you could do one day is get 8/10 passwords sync’d up! Lucky you, my best is 5/15! Now if I have to chose a bank, I go by how long they have the online password change and how easily I can reset it… not secure, but you know what I have had enough!

This is where I need some industry wide sign-me-once standard! Well I belive with federation there is going to be one and we will have remember less and less number of passwords to remember. There has been a lot of progress in this quest of a single sign on, including OpenSSO, Windows Live ID, SAML (federation), CAS, Shibboleth, OpenID etc. Two strong contenders in this race to create a single sign on experience is the OpenID project and SAML implementations. And I think each has its own strengths and limitations. In this ID wise trail we will discuss each of the existing and prevalent solutions as well explore new possibilities.

Meanwhile till the next stop, I came across this pretty interesting blog from Justen Stepka… Bon Reading..
http://www.jstepka.name/blog/2006/12/17/crowd-vs-saml-vs-liberty-alliance-vs-openid-vs-cas-vs-shibboleth/