Validation, authorization: The next steps to identity management

* Why the identity management industry should now be working on validation, authorization

As someone pointed out to me last week, we're still spending an inordinate amount of time talking about authentication, and still trying to find a way to obviate the need for users to either memorize or write down lists of passwords and account names. Certainly that issue has come up in this newsletter a number of times over the past few weeks and months.

This all seemed to come to a head last week as I carried on conversations with Kuppinger Cole analyst Felix Gaehtgens and Metapass CEO David Dupouy, as well as in things I read in a New York Times column (Goodbye, Passwords. You Aren’t a Good Defense – note: registration required) and the various reactions to it on numerous blogs.

There is a lot of agreement that passwords are never going to be the best way to authenticate, no matter how strong we make them. Other authentication factors - biometrics, software tokens, out-of-band responses and hardware devices - are all better but require greater or lesser degrees of action on the part of users. And users, as most of us know, are more reluctant to change than a baseball player on a hitting streak. Getting the changes implemented is going to be a slow slog, but there should be steady progress. So what else should we be working on?

One area that Dupouy and I discussed at length was validation - ensuring that the account that gets created accurately reflects the true identity of the entity that it's created for. This step can overcome much of the identity fraud (what the popular press calls “identity theft”) that is prevalent today.

But we also mentioned - and Gaehtgens emphasized - that beyond authentication comes authorization. Getting people to the proper resources - the ones they need as well as the ones they should be allowed to access - is the next big thing. It’s time for the entitlement management people to take the center ring and show us what tricks they have. The audience is ready. Perhaps we’ll hear some amazing things at next month’s Digital ID World in Anaheim.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.