"Over 80 percent of authentication is still username and password - but there has to be change, because regulatory bodies are mandating it," says Jason Roualt, the chief technology officer (CTO) for HP's identity management group.

And that change is coming, as banks all over the world bring in two-factor authentication for their online customers, and as the US Federal Deposit Insurance Corporation mandates strong authentication for online banking by the end of this year: "If the banks implement that, it will touch a large proportion of the population," Roualt says.

"Strong authentication will be where things move to, but the act of authenticating involves user action, and people don't like change," he adds. "What form it will take is still up for debate - I think it will be something ubiquitous, such as a mobile phone."

HP's identity management group is one of its more recent creations. Selling its products under the OpenView Select brand, it's the result of several acquisitions that the company has made in recent years, according to Roualt.

"We identified identity management as a key technology to get into," he says. "We acquired access management from Baltimore, also TruLogica for identity provisioning, that became our Select Identity product. We OEM'd Trustgenix for federated identity and have now acquired them too, as Select Federation."

Automation and compliance
Roualt says that the business drivers behind identity management are the same across all industries, for example cost reduction via automating processes such as creating new accounts, deleting old ones, and password resets - plus a new one, namely regulatory compliance.

"A major driver for business is risk mitigation, and proving who had access to what at a particular time. You need to have process controls in place to satisfy the auditors. Without automation it takes IT managers an inordinate time to generate lists of who has access to what.

"The technology drivers are the ability to provide ease of use and effective change management, as organisational changes occur and the IT infrastructure changes, for example," he adds. "Identity needs to adapt to those changes in a way that doesn't require administrative intervention, so a line of business person could use them."

HP's interest is a result of the synergy between it sees etween identity management and its existing network and systems management framework, OpenView.

"We bring a lot of automation," says Roualt. "You might want a physical approval process, but there's still a lot you can automate, such as accounts for a new hire. We're connected into all the back-end systems, we know where the new user is and who they report to, and we know the business policies, so we can arrange access and accounts from day one.

"You can also compare your actions with business policy and remediate them if they're wrong. And when provisioning new servers, it's important to specify access control policy at the same time."

Enter the Federation
Roualt says that two of the most important developments in this whole area will be federated identity - HP is a member of the Liberty Alliance - and service-oriented architectures, or SOA.

"From an SOA point of view, identity will be exposed as services that can be consumed or requested. You are going to see identity management pushed down from the application level into the infrastructure - we think we can effect that change," he explains.

"It will be used and managed through network access control devices and also down to the servers and storage. It could go down to the chips on the motherboard. Mainly we're talking about user identity now, but it can be the identity of other services and so on.

"From a federation standpoint, the whole idea is that your identity is owned by a number of vested interests, such as your employer, your health company, and the organisation you're dealing with needs bits of those for the transaction. Using Liberty they can discover where that information resides and pull it in as needed, dependent on your privacy settings.

"It uses a discovery mechanism, it goes back to the identity provider and asks 'where can I get this information?' and the provider issues tokens which provide the reference and also the authentication to get that information."

That means you don't need to give all your personal or business information to every organisation you deal with. Instead, it goes to trusted third parties who can then say yes, you are who you say you are, and you indeed licenced to drive, set up direct debits, or whatever.

At liberty to choose
"Liberty wanted the consumer to be able to choose their identity provider, not only be offered one," Roualt says. "Right now, federated identity is more of a mesh, but I think it will work out to be fewer identity providers, such as financial services, credit unions, government bodies."

And if you thought federated identity was just a buzzword, think again: the protocols, such as the XML-based security assertion markup language SAML from OASIS, the Liberty identity federation framework (ID-FF), and the IBM and Microsoft-led web services federation language are already in place, with identity tools such as HP's Select Federation agnostically bridging between them as needed.

Roualt estimates that there will be two billion federated identities issued this year - not least because Liberty and OASIS member Nokia is shipping phones that support SAML and ID-FF.

"The technology is the easy part, it's the business processes that are the challenge - issues of trust, liability and so on," he continues. "Those issues have traditionally been dealt with by lawyers and contracts, but that's a process that doesn't scale well. People have been doing EDI for years though, so many of them are just going in and adapting those existing relationships."