The entire online world is going to become one big, happy federated network, a unified cybernation of authorised digerati accessing and buying everything with a single, easy log-in, right?
Not so fast, pilgrim. According to Amdahl's Law, the scalability of all things digital is controlled by the slowest elements, not the speediest. Large consumer federated networks are going to encounter natural resistance from real-world constraints, starting with authentication.
Pundits put federated networks in the identity management taxonomy, where they're treated as infrastructure because they include a directory to support a plethora of security systems. Under the identity management umbrella are centralised administration and life-cycle management of user ID data and attributes, log-in synchronisation across multiple applications, single sign-on, authentication and policy-based access control.
Authentication and identity management overlap, but authentication is more accurately viewed separately. Predictions have generally pegged both the authentication and the identity management marketplaces for rapid double-digit growth, with identity management pulling ahead and posting more than $10 billion in annual sales by around 2007, according to IDC.
Uh-oh, here come the (l)users
The rubber meets the road for identity management with authentication. Authentication means users, and users always increase uncertainty and cost. Watch deployments of endpoint client software for realistic indicators of scalability as the neat and tidy digital world collides with the messy analogue one.
Order prevails in the enterprise identity-management marketplace, on federated networks serving supply and in distribution chains for large multinationals like General Electric, Toyota or Boeing. Such federated networks are built on high levels of trust. Suppliers seeking to do business with the large multinationals readily adopt the required authentication standards as a cost of doing business. The authentication on-ramps to federated networks are reasonably tidy and orderly in this trusted model.
The trust model for large controlled federated networks generally applies to governments, where those seeking access to desired services can be required to adopt certain authentication standards. This may not be the case for the Inland Revenue, the passport office or driving licence bureau serving the general public.
Chaos reigns for the universal consumer federated network, which resembles hordes of holiday shoppers descending on malls daily. Netizens armed with multiple unknown authentication factors present online merchants and service providers with tough decisions regarding privileges. Imagine if mall merchants only supported a credit card from a single issuing bank and the bottlenecks that would develop as the merchants tried to determine the trustworthiness of credit cards from other, unknown banks.
Today's enterprise federated networks are built on a secure trust model and rely on a deterministic yes-or-no authentication decision. Authentication assertions are quickly passed among the federation members with digital precision. As long as the standards are followed, there are few authentication problems.
Parsing multiple unknown authentication methods for making trust decisions on consumer access and service and sales authorisations is no trivial task. This type of indeterminate decision-making is a nuanced probabilistic exercise not readily supported in current federation models. What if that one-time password token the online customer is flashing is unrecognised?
Beware the demands of the marketplace
The ability to enforce deterministic authentication for quick federation assertions bends when the marketplace pushes back with a wider variety of authentication methods and credentials than envisioned in federation architectures. Millions of dollars in potential online business from lesser-known and trusted authentication credentials creates an indeterminate federation on-ramp.
Consumer businesses are mature users of risk management models for making economic decisions in an uncertain environment. The cost of bad debts, fraudulent checks and stolen merchandise is factored into the cost of everything we buy; it's included in the price tag.
Guess which authentication trust model will win in the online consumer market - the high-trust deterministic authentication model, or the Wild West multifactor indeterminate shootout that promises a much larger marketplace?
Authentication is receiving a lot of attention from security vendors and consumer businesses as they become aware of the risks of doing business online. Chief among the risks in the consumer marketplace are the undesirable choices of lost sales or the return of the world-wide wait, which is untenable in a consumer society.
Meanwhile, back at the knowledge ranch, new types of authentication services and products are on the drawing boards to better manage the risk in consumer multifactor authentication. Imagine a future where the daily news includes Internet authentication advisories, along with traffic, weather and sports. Juice your credit cards and start your multifactor authentication engine to beat the traffic jam on the Internet on-ramp.