It seems every time I think that single sign-on is becoming old hat something comes along that makes me open my eyes. WIDE. I sat down with Metapass CEO David Dupouy last week while he showed off his excellent solution for single sign-on. And I do mean "single sign-on" literally. It's not "simplified" sign-on or "reduced" sign-on - it's perhaps the only contender for the "it works with everything" prize. But don't just take my word for it.

When Siemens was looking for an enterprise SSO partner it tried them all. Here’s what Thomas Kautenburger, Siemens’ director of Solution Management for Mobility & Security had to say: “MetaPass was a clear winner out of this assessment [i.e., the testing Siemens did] because of their innovative approach of using a ‘virtual API’ technology that allows integration with any application (and I will use the term ‘any’ until somebody shows me the opposite). In fact we could accomplish in projects so far any application integration the customer asked for, independent of a Windows, Apple or Linux platform, independent if Web, GUI, terminal emulation or even really nasty mixed-mode user front-ends like a terminal emulation applet within a Web browser through a Citrix session.”

Besides all that, it’s extremely easy to use for both the end-user and the administrator. No scripts to write, no programming at all just a “point-and-click” interface that defines the authentication ceremony for any application or service your users might encounter. Even two-step or multi-factor ceremonies.

In addition, Metapass will handle password changes, allowing the administrator to define the strength (length, character set, case, etc.) and automates the change. Metapass can even test all of its interfaces regularly and alert the administrator to application changes that might necessitate redrawing the authentication ceremony for a particular application. And that redraw will take the administrator less time than reading this paragraph.

Metapass’ Dupouy called the product “third generation” SSO (and I’m glad he didn’t say SSO 3.0!). His timeline is:

* Generation 1: Scripting – the SSO vendor writes a script, or custom software, for each application that needs to be accessed by the customer. This is a long and painful process that is highly vulnerable to applications and OS updates. Maintaining such scripts is challenging and the customer is highly dependent on the SSO vendor. Moreover, not all applications are scriptable. Usually the SSO doesn't work with many systems; users still have multiple passwords to remember, resulting in a mere “reduced sign-on” solution.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.