Posted by: Matt Heusser
Active Directory, BYOD, Identity Management, iPad, iPhone, LDAP
Do you remember Microsoft Passport?
The idea behind passport was a single web-based login. You could use it for your Microsoft account, then surf on over to Amazon.com and you are logged; surf on over to eBay, or Hotmail, or Etsy, whatever, take your pick, and you remained logged-in. Combine that with Microsoft Wallet, and you could purchase items direct to your credit card.
It was a great idea, to become part of Microsoft Hailstorm, a collection of web-based services.
Except that, oh yeah, right, it wasn’t.
Microsoft Hailstorm failed and was scrapped, almost exactly ten years ago. You could argue, I think it’s worth taking seriously, that Hailstorm was ahead of it’s time, and the time actually is today.
Today all the building blocks are in place for an identity service, and it could directly impact your business.
Let me explain
The obvious reason that Hailstorm/Wallet/Passport failed was because Microsoft was unable to secure the partners it needed – the eBays and Amazons of the world were unwilling or unable to trust Microsoft with the login keys. (For that matter, I suspect neither were the Mastercards or the Discovers.) A second was the Hailstorm pushed a centralized services model — the applications existed “in the cloud”, and how they would interoperate with your personal devices was murkey. Finally, in those days, integrating with one of these services was a “project” that probably a small team of people and a large amount of time. Like the chicken and the egg, companies didn’t offer passport because it did not guarantee users, and users didn’t sign up because they couldn’t use it anywhere.
Facebook, on the other hand, hit 500 million users two years ago.
Beyond Facebook, there are several other popular options, including a Google Account, Twitter, or Linkedin. On some “badge” or point-based sites, like StackExchange, I have lost track of which account to log in as, which means I have three accounts, each with about a third the points I should have.
It also means new website don’t need to build an authentication feature; they can re-use a code sample from one or two companies and be off to the races. Instead of taking time, sharing authentication suddenly saves you time.
Back in the Enterprise
“Bring Your Own Device”, or BYOD, is getting a lot of press right now; there are entire conference tracks about it. The gist of BYOD is that journalists got frustrated they could not get iPads, so they bought them for themselves and started using them for work — and started blogging and writing about it.
I’m only mostly kidding. iPhones and iPads (and that other thing about a robot, and the one that’s a fruit) all can take time that used to be ‘lost’ to the business and make it productive. It seems reasonable in my mind for people to take the systems they pay for out of pocket and volunteer to get company e-mail and, sometimes, some web services, on those devices. IT will figure out how to support these folks; it won’t even take very long.
I’m not talking about BYOD here – I am talking about my identity. Why do I need a separate login for work as I do for LinkedIn? LinkedIn knows who I am. They know where I work. To some extent, it seems reasonable that the company have an interest in my LinkedIn account. For example, I might make claims about what I do, or claim that I continue to work at the company after my employment ends.
Shouldn’t logging in to the company computer be as easy as logging in to LinkedIn?
It’s not that easy
Oh, I understand the objections. There are privacy concerns – who owns the data and the login? There are practical concerns; LinkedIn and Facebook are websites, and I need to authenticate to LDAP and Active Directory inside the firewall just to get to the machine. Plus there are a pile of permission issues; who can modify what email list, who can FTP to what box, what group am I am a member of and what permissions does that group have on what machines — I get it. We’ve got a long way to go.
But, for the moment, just hear me out. What if we started to move our web architecture to make multiple, overlapping authentication schemes available, not just for public websites, but to streamline operations within our companies?
Repeat after me: The future is not Bring Your Own Device; that is the present.
The future is bring your own identity.
Right now, today, I can stitch together external services I have described above. I am not talking about that.
I am talking about internal services.
Say you hire a new administrator tomorrow at BigCo. In Windows Seven and Eight land, he is stuck – he needs a security Wallah to create a user id, then needs to learn a new userid and password combination.
What if, instead, there was a “User my facebook login” button in Windows nine? What if you configured the machine to allow the first person who clicked it to login, the create his LDAP account based on the user who logs in. With today’s monitoring software, the risk is minimal, and you’d have to create all logins to external servers, FTP accounts, database, etc, just like the old way.
Again, there is no “login with facebook” feature in Windows 9.
Perhaps there should be.