Thursday, September 16, 2010

Disappearing IdPs!

Recently, I was passed this link Disappearing IdPs. It is quite an interesting news - a popular IdP folding! The danger that the article points out is quite real - the frustration to the users is enormous.

Though I do not quite see this danger becoming prevalent or common place (like traffic accidents, for example) - the probability of it happening is uncomfortably high - there is no guarantee that a particular web site will not fold, for ever. As the article points out, it may not happen with Google, or any similar providers. However, there could be other dangers lurking - the credentials at the IdP could be stolen, the provider could be down for prolonged periods of time (DoS, for ex.), the local government could decide to block the IdP for whatever reason (it can certainly happen for Google -given it is so big).

This danger needs a solution. One thing I could think of is - federation. All service providers MUST use federation, in stead of plain SSO. The local user ID could still be the user ID from the IdP (assuming there are not going to be conflicts across domains - email IDs can prevent such conflicts). There must be a (compulsory) step that allows the user to create a local identity after they log in with their IdP credentials for the very first time. The support for these credentials (like password self-reset, for example) can follow the standard paradigms (may be security questions?! see my earlier post!). But the key is that the user can now login with the local credentials as well. This can be used in such emergency situations like when the IdP is not available.

There could be other thoughts. Will certainly like to hear them.

1 comment: