In response to the October FFIEC guidance to the banking industry about online authentication and similar pushes in other industries, the Liberty Alliance Project has formed the Strong Authentication Expert Group (SAEG). The intent is to develop an open framework for deploying hardware and software tokens, smart cards, SMS-based systems and biometrics across organizational boundaries.
The Liberty Alliance Project, an alliance of technology firms, nonprofit groups and government organizations, promotes the concept of federated network identity. Although techniques may vary, the principle of federated identity remains the same -- that the process of authentication be decoupled from the underlying services provided.
Consider the case of a 401(k) plan provider and its sponsoring employers. Logically, the best place to authenticate the identities of 401(k) account holders would be with their employers, rather than with the plan provider. With the federated model, that's exactly what happens. The employer's identity assertions are made portable through a "handshake" process, allowing the plan provider to offer its online services without having to re-authenticate the user.
Adoption is still in the "nascent stage," admits Roger Sullivan, vice president, identity management, Oracle (Redwood Shores, Calif.), considering the legal ramifications involved with third-party assertions.