Last issue I talked about the two recent acquisitions in the enterprise single sign-on and software-as-a-service sectors but there was more happening last week, and it was in the user-centric identity space. One was the acquisition by Microsoft of Credentica and the other a launch of yet another OpenID provider, Clickpass.
In what I saw as a surprise move, Microsoft acquired security vendor Credentica so that, apparently, Redmond could merge Credentica's U-Prove technology into the Windows Cardspace platform. Microsoft Identity Architect Kim Cameron has, in the post, spoken well of Credentica’s Stefan Brands and assures me that this “odd couple” (you’ll understand that reference if you’ve ever seen them address a conference. Stefan is Mr. “cool efficiency” while Kim is as likely to forget which city he’s in – or which presentation he’s giving!) will work well together. Time will tell, but it is a move that Microsoft had to make.
The elegance of the U-Prove technology – and the iron-clad security it gives – should be the final nudge Cardspace needs to set it on the road to being the dominant SSO technology, first on the Web and then later in the enterprise. The key factor is the privacy issue – U-Prove makes transactions unlinkable on any level by any party – even the SSO identity provider! There is nothing else in the SSO space that even comes close.
Certainly not OpenID, the other major claimant for user-centric SSO supremacy. Last week saw the launch of yet another OpenID provider, Clickpass. Clickpass is a branded OpenID provider, like AOL and Yahoo, for example, that wants relying parties to place its logo on Web sites so that users can “log in to Web sites with the click of a button.” The button being, of course, the Clickpass logo. As the relying party, you can choose to place the logo on your login page along with the “click here to log in with Yahoo” and “click here to log in with AOL” and “click here to log in with OpenID” and “click here to log in with your username/password” and “click here to log in with Cardspace” and heaven knows how many other odd looking logos/text boxes/links! There’s a Clickpass add-on for Wordpress blogs which, interestingly enough, can’t co-exist with the standard OpenID plug-in for Wordpress! This is progress?
OpenID promised that by using the technology we would no longer need to have multiple username/password combinations for multiple Web sites – one OpenID would work for all. Or, of course, we could choose different OpenIDs for different sites. But the point was that we wouldn’t need to remember a huge number of username/password combinations. Now, it seems, we’re replacing multiple username/password combos with multiple OpenID providers. And we’re, once again, forced to remember which provider we used to authenticate to which Web sites! OpenID hasn’t reduced the number of authentication ceremonies – it's actually increasing them, and cluttering up the landing page of any Web site that wishes to offer as many of the “branded” OpenID authentications as possible. The OpenID Foundation needs to get to work, quickly, to rein in this proliferation of SSO “buttons” or risk becoming irrelevant outside the blogging community. Cardspace, with the U-Prove acquisition, has already far outdistanced OpenID in security and privacy. The next step may well be to outdistance OpenID in ubiquity.