GUEST ESSAY: The case for shifting to ‘personal authentication’ as the future of identity

By John Callahan

I currently have over 450 accounts that use passwords combined with a variety of two-factor authentication methods.

Related: How the Fido Alliance enables password-less authentication

I don’t know every password; indeed, each password is long, complex and unique.

In effect, my passwords are now “keys” — and I must authenticate across many accounts, multiple times per day, on a variety of device platforms.

Only a dozen or so of my accounts get authenticated via self-hosted services. This is an emerging form of personal authentication, if you will, that represents the future of identity.

These accounts share a common authentication manager, also self-hosted, that uses OpenID Connect (OIDC). When I try to log into one of these self-hosted accounts, such as an address book web app, I am redirected, via OIDC, to the self-hosted identity manager and prompted to login.

After a successful login, I am redirected back to my original self-hosted account (e.g., the address book web app). It is my own “login with me” service implemented as a personal login-as-a-service (LaaS) like “Login with Google” or “Login with Facebook” but self-hosted instead.

These existing LaaS services each have a pre-arranged relationship with accounts via some shared secrets. These relationships are implemented via protocols like SAML (security assertion markup language) and OIDC.

Callahan

My self-hosted LaaS is an identity manager that also keeps track of which sessions are active, which service has access to my identity attributes (via OAuth2 scopes) and when they were last accessed.

It also allows me to select various authentication methods on a per service basis and any associated multi-factor authentication (MFA), and allows me to revoke current tokens. I get a birds-eye view of who has access to my information and where I am trusted.

Scale to come

The only problem is that my identity manager is not interoperable. I cannot use my self-hosted LaaS to log into the other 400-plus accounts that do not trust it. But that will change thanks to modern technologies based on blockchains. 

Efforts like  Self-sovereign  identity  (SSI) and Personal  Identity  Ecosystems (PIE) envision a future  of decentralized identity but are having trouble gaining traction.

The lack of supporting infrastructure for decentralization is one of the largest barriers to progress. Many decentralized identity efforts focus on the HOW instead of keeping their eye on the WHY: why do we need decentralized identity?

We need decentralized identity to establish two-party trust that is scalable. Instead of “Log in with Google” we need “Login with ME” for billions of individuals globally. The only way of sharing secrets at large scale is via decentralized technologies like blockchain.

We are already seeing the foundation being laid to establish trust across personal LaaS via distributed ledger technologies like blockchain. And the economic, regulatory and exchange protocols are being established to support decentralized trust.

Sharing protocols

Personal authentication does not seek to replace current identity services like “Login with Google” but instead sit alongside them using the same protocols. It also doesn’t make current login managers obsolete, but instead provides growth opportunities.

Self-hosting is just a deployment option: Current password managers will move into hosting LaaS. It can boost the business of identity-as-a-service (IdaaS) providers and builds on existing protocols.

Users can manage their own identity credentials, port them to various support vendors and platforms, and replicate their own provider services as they deem necessary.

Instead of a mainframe computer for identity services, we need to support personal authentication that lets users upgrade at their own pace.

About the essayist: John Callahan is chief technology officer at Veridium, a leader in passwordless, user-centric authentication solutions.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone