March/April 2006

Universal Authentication

Leading the development of a privacy-protecting online ID system, Scott Cantor is hoping for a safer Internet.

By David Talbot

This article is the seventh in a series of 10 stories we're running over two weeks, covering today's most significant (and just plain cool) emerging technologies. It's part of our annual "10 Emerging Technologies" report, which appears in the March/April print issue of Technology Review.

If you're like most people, you've established multiple user IDs and passwords on the Internet -- for your employer or school, your e-mail accounts, online retailers, banks, and so forth. It's cumbersome and confusing, slowing down online interactions if only because it's so easy to forget the plethora of passwords. Worse, the diversity of authentication systems increases the chances that somewhere, your privacy will be compromised, or your identity will be stolen.

[Click here for an example of univeral authentication.] 

The balkanization of today's online identity-verifying systems is a big part of the Internet's fraud and security crisis. As Kim Cameron, Microsoft's architect of identity and access, puts it in his blog, "If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet." Finding ways to bolster that trust is critically important to preserving the Internet as a useful, thriving medium, argues David D. Clark, an MIT computer scientist and the Internet's onetime chief protocol architect.

Scott Cantor, a senior systems developer at Ohio State University, thinks the answer may lie in Web "authentication systems" that allow users to hop securely from one site to another after signing on just once. Such systems could protect both users' privacy and the online businesses and other institutions that offer Web-based services.

Cantor led the technical development of Shibboleth, an open-standard authentication system used by universities and the research community, and his current project is to expand its reach. He has worked, not only to make the system function smoothly, but also to build bridges between it and parallel corporate efforts. "Scott is the rock star of the group," says Steven Carmody, an IT architect at Brown University who manages a Shibboleth project for Internet2, an Ann Arbor, MI-based research consortium that develops advanced Internet technologies for research laboratories and universities. "Scott's work has greatly simplified the management of these Internet-based relationships, while ensuring the required security and level of assurance for each transaction."

Shibboleth acts not only as an authentication system but also -- counterintuitively -- as a guardian of privacy. Say a student at Ohio State wishes to access Brown's online library. Ohio State securely holds her identifying information -- name, age, campus affiliations, and so forth. She enters her user ID and password into a page on Ohio State's website. But when she clicks through to Brown, Shibboleth takes over. It delivers only the identifying information Brown really needs to know: the user is a registered Ohio State student.