Federated identity (FI) is the process by which a user’s digital identity is connected across an array of identity management systems. In other words, it’s about using a single access key – be it hardware-based, digital, or biometric – to sign into systems throughout multiple departments or organizations.
Given the number of systems, both professional and personal, that the average employee must sign into and authenticate on a daily basis, deploying a federated identity solution that utilizes single sign-on is common sense, preventing authentication overload and minimizing friction. FI is particularly important to IT departments, which must manage processes that span sprawling enterprises and handle multiple clients, without compromising on security.
FI vs SSO – what’s the difference?
The terms ‘federated identity’ and ‘single sign-on’ are sometimes used interchangeably, but they are not identical. SSO is a subset of FI, as it pertains only to the manner in which authentication is achieved.
Most web users are already familiar with the concept of SSO, even if they don’t know it by name; it’s the process that enables platforms to be accessed in multiple browser tabs, for example, without having to sign in again. Google and Facebook both deploy variants of SSO to facilitate single sign-in across platforms. In the business world, meanwhile, the likes of Oracle and IBM provide SSO solutions for enterprises.
Federated Identity Management dictates the standards that determine how identities can be used across multiple organizations and apps. Individuals who use SSO will provide their authentication credentials to an FIM system, which then governs their access across companies and applications.
Problems with federated identity
For all the benefits that FI brings in granting access to multiple systems via a single identity, it has its drawbacks. These include:
- Risk of identity theft: an illicitly obtained federated identity hands the attacker the keys to the kingdom, which could have major repercussions.
- Reliance on third parties: using a centralized entity such as Microsoft Active Directory Federation Services, as many enterprises do, simply outsources the security burden but not eliminates. Centralized parties also add vendor lock-in risks that may prevent the adoption by some partners in a federation.
- Expansion cost: FI can quickly become expensive when deployed across large organizations or in a large number of systems.
- Stability: if partners’ identity management server goes down or gets compromised, their identities are usually no longer able to access the ecosystem.
One of the biggest challenges that businesses using federated identity face is determining the best way to integrate various identity providers in an efficient manner that doesn’t add friction.
Solving the shortcomings of federated identity
A distributed solution for managing multiple identities and accessing a plethora of digital systems via a single ID can be a good upgraded version of federated authentication. Due to a decentralized framework, such a solution doesn’t suffer from the same issues as federated systems, in which a third party must be trusted.
We saw it work in real life when building a digital key project for the Fortune 500 auto manufacturer. Building the Auth solution upon the distributed ledger we created a single identity which enabled their customers to sign in to multiple applications. Also, it allowed users to control identity ownership, verification, and authentication. Each ID was registered on-chain, creating a digital key for vehicle owners that could not be hacked or stolen.
The benefits that Auth brought to the car manufacturer in question, and which it brings to other enterprises across a diverse range of industries, includes:
- Improved security due to the ability to verify credentials and less regulatory complexity
- Simplified workload (federated SSO, built-in MFA)
- Reduced onboarding costs for new partners
- Solution that scales as the business or ecosystem grows
- Ability to leverage smart contracts to implement sophisticated business rules related to identity
Trustless federated identity
Traditional federated identity systems are built on trust. Parties must trust the centralized identity provider tasked with authenticating their requests and granting access. As a result, FI systems are susceptible to common attack vectors including phishing and are prone to data leaks.
Auth provides a decentralized solution that eliminates gatekeepers: instead users can register their identity on-chain and then authenticate it without requiring the permission of a third party. Through minimizing the attackable surface area and removing single points of failure, Auth bolsters the security of FI, while retaining the characteristics that have made federated identity the authentication method favored by organizations worldwide.