SSO is only one type of federated ID management. There are other more notable systems, such as one-time password (OTP) tokens. OTPs are gaining popularity as a two-factor authentication method for financial Web sites that need to comply with the Federal Financial Institutions Examination Council (FFIEC) directive, which states that all financial Web sites who participate in high-risk transactions must use two-factor authentication to secure customer information.
An OTP token generates a random PIN number every 30 or 60 seconds, which the user enters in addition to their user ID and password to log on to a system, like a Web site. The OTP provides an extra layer of protection, as it's nearly impossible to crack that ever-changing PIN number. Therefore, even if the user ID and password are stolen or sniffed off the network, the OTP still blocks access, malicious or otherwise.
If the OTP's popularity continues to increase, customers could find themselves carrying a key ring full of tokens, one for each of their banks, credit cards or other financial Web sites. The goal of federated identity management is to stop that. In an ideal world, users would carry one token to access all their systems, no matter who ran it.
Federated ID management is still in its infancy. It's been slow to take off, partly because competing companies and financial institutions would have to agree on a unified standard and IT architecture for such a system. There are initiatives in progress, some working to create standards across different companies. Two of the most famous are the Microsoft Passport initiative and the Liberty Alliance. IBM is also developing one for the private sector and OASIS is developing a federated identity solution for Web services.
This was first published in July 2006