There are several reasons to reevaluate the need for identity management. First there is the trouble implementing the technique. Not only does it have to be secure enough, privacy laws are applicable so supervisors will be on the loose.
Second: your customers hate identity management. You're not the only one that has to manage identities, so do your customers. Identity 2.0 didn't happen just because it could.
Federation is an intriguing technique for identifying individuals. It does require another point of view, but there are many benefits. For instance you don have to manage identities, but you can have a specialist, the Identity Provider, take care of that. You only have to trust the IdP and open up your business for the new protocols. And your customers don't need yet another account and password. The can reuse an existing identity.
Last week a new business case appeared. In France new regulations require website owners to make identity information accessible to the authorities. Accounts, password, personal data. Not really what security is about. These laws apply to French companies, but perhaps also to companies dealing with French customers, although I cannot imaging how French authorities can plan to execute these regulations.
But this new development does help us to define a new business case for federation. Federation means that the relying party, the party trusting a 3rd party IdP, doesn't have to store personal data, except for transaction data. And what you don't have, you can't lose. Or hand over to others.
Geen opmerkingen:
Een reactie posten