Skip to Content

Universal Authentication

Leading the development of a privacy-protecting online ID system, Scott Cantor is hoping for a safer Internet.
March 13, 2006

If you’re like most people, you’ve established multiple user IDs and passwords on the Internet – for your employer or school, your e-mail accounts, online retailers, banks, and so forth. It’s cumbersome and confusing, slowing down online interactions if only because it’s so easy to forget the plethora of passwords. Worse, the diversity of authentication systems increases the chances that somewhere, your privacy will be compromised, or your identity will be stolen.

Security with privacy: Shibboleth software could create a far more trustworthy Internet by allowing a one-step login that carries through to many online organizations, confirming identity but preserving privacy. In this example, a student logs in to his university's site, then clicks through to a second university. Shibboleth confirms that the person is a student but doesn't give his name.
BRYAN CHRISTIE DESIGN

Universal Authentication

  • Key players

    Stefan Brands – Cryptology, identity management, and authentication technologies at McGill University; Kim Cameron – “InfoCard” system to manage and employ a range of digital identity information at Microsoft, Redmond, WA; Robert Morgan – “Person registry” that gathers identity data from source systems; scalable authentication infrastructure at University of Washington; Tony Nadalin – Personal-identity software platform at IBM, Armonk, NY

The balkanization of today’s online identity-verifying systems is a big part of the Internet’s fraud and security crisis. As Kim Cameron, Microsoft’s architect of identity and access, puts it in his blog, “If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet.” Finding ways to bolster that trust is critically important to preserving the Internet as a useful, thriving medium, argues David D. Clark, an MIT computer scientist and the Internet’s onetime chief protocol architect.

Scott Cantor, a senior systems developer at Ohio State University, thinks the answer may lie in Web “authentication systems” that allow users to hop securely from one site to another after signing on just once. Such systems could protect both users’ privacy and the online businesses and other institutions that offer Web-based services.

Cantor led the technical development of Shibboleth, an open-standard authentication system used by universities and the research community, and his current project is to expand its reach. He has worked, not only to make the system function smoothly, but also to build bridges between it and parallel corporate efforts. “Scott is the rock star of the group,” says Steven Carmody, an IT architect at Brown University who manages a Shibboleth project for Internet2, an Ann Arbor, MI-based research consortium that develops advanced Internet technologies for research laboratories and universities. “Scott’s work has greatly simplified the management of these Internet-based relationships, while ensuring the required security and level of assurance for each transaction.”

Shibboleth acts not only as an authentication system but also – counterintuitively – as a guardian of privacy. Say a student at Ohio State wishes to access Brown’s online library. Ohio State securely holds her identifying information – name, age, campus affiliations, and so forth. She enters her user ID and password into a page on Ohio State’s website. But when she clicks through to Brown, Shibboleth takes over. It delivers only the identifying information Brown really needs to know: the user is a registered Ohio State student.

While some U.S. universities have been using Shibboleth since 2003, adoption of the system grew rapidly in 2005. It’s now used at 500-plus sites worldwide, including educational systems in Australia, Belgium, England, Finland, Denmark, Germany, Switzerland, and the Netherlands; even institutions in China are signing on. Also in late 2005, Internet2 announced Shibboleth’s interoperability with a Microsoft security infrastructure called the Active Directory Federation Service.

Critically, the system is moving into the private sector, too. The science and medical division of research publishing conglomerate Reed Elsevier has begun granting university-based subscribers access to its online resources through Shibboleth, rather than requiring separate, Elsevier-specific logins. And Cantor has forged ties with the Liberty Alliance, a consortium of more than 150 companies and other institutions dedicated to creating shared identity and authentication systems.

With Cantor’s help, the alliance, which includes companies such as AOL, Bank of America, IBM, and Fidelity Investments, is basing the design of its authentication systems on a common standard known as SAML. The alliance, Cantor says, was “wrestling with lots of the same hard questions that we were, and we were starting to play in the same kind of territories. Now there is a common foundation….we’re trying to make it ubiquitous.” With technical barriers overcome, the companies can now roll out systems as their business needs dictate.

Of course, Cantor is not the only researcher, nor Shibboleth the only technology, in the field of Internet authentication. In 1999, for instance, Microsoft launched its Passport system, which let Windows users access any participating website using their e-mail addresses and passwords. Passport, however, encountered a range of security and privacy problems.

But thanks to the efforts of the Shibboleth team and the Liberty Alliance, Web surfers could start accessing multiple sites with a single login in the next year or so, as companies begin rolling out interoperable authentication systems.