Over the years I’ve been writing this newsletter, the concept of “context” comes up time and again. As I’ve often said, "context" is a better (or, at least, a different) way of looking at identity transactions - the who, what, when, where, how (and perhaps why) of an authentication or authorization. I may give the impression that I am somewhat focused on this concept. Some would even say that I, perhaps, obsess about it. One friend even mentioned that he thought humorist Dave Barry was thinking of me and context (or, “me in context”) when he said: "I argue very well. Ask any of my remaining friends. I can win an argument on any topic, against any opponent. People know this, and steer clear of me at parties. Often, as a sign of their great respect, they don't even invite me." My only plea is that I wish more folks with influence in identity management vendor circles would take context more seriously.

That may be happening.

Paul Madsen is the co-chair of the Liberty Alliance Technical Expert Group. These are the folks who create the scenarios for implementing the Alliance’s specifications. He wrote, for example, “Liberty ID-WSF People Service – federated social identity”.

Recently on his blog he discussed the SAML specification element AuthnContext. As he said: “Most people associate the element with capturing the specifics of how the user authenticated to the IDP [identity provider], e.g. either using a password or (more meaningfully for maximizing the value of the [single sign-on]) some stronger authentication technology like an OTP [one time password] or smart card.” Generally, that’s the way I see most vendors using “context” when it comes to authentication, also.

But Madsen goes on to say: “But Authentication Context is far more powerful than merely describing this aspect of the authentication. Authentication Context gives IDPs and [service providers] a language to discuss many other aspects of the context of the authentication, including:

* The initial user identification mechanisms (for example, face-to-face, online, shared secret).

* The mechanisms for minimizing compromise of credentials (for example, credential renewal frequency, client-side key generation).

* The mechanisms for storing and protecting credentials (for example, smart card, password rules).

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.