Enterprises across the globe need a way for their customers, partners, vendors, etc., to securely identify, authenticate and authorize against the identity service to grant access to the secure application. This is not new though. This way of providing access to applications is in place from the late 1960s. But, what really has changed is that the different ways and mechanisms that were used over different times to identify, authenticate and authorize a user.
Like how the computers are evolved from standalone to distributed to cloud computing, the applications that were built to run on these machines were also evolved from standalone to distributed to cloud applications.
Let us have a quick look at how authentication models work across different computing/application types –
1) Standalone application (Application that runs from a single hardware instance) – Username and password will be stored in the same machine to authenticate the user
2) Distributed application (Applications that run from multiple hardware instances) – In this case, both communicating principals should verify each other’s identity
3) Cloud applications (Applications that run from a cluster of multiple hardware instances at a data center) – Application can be accessed from anywhere over the internet by validating against the credentials
From the application hosting perspective, granting access and from the user perspective, gaining access are 2 different actions. However, tied to a single application. As login will be the first step into accessing the application the user experience will be far more important as well. Now let us look at some of the common identity management solutions that are common and securely used.
1) Password-less authentication – Identifying and authenticating the users without having to use their password during the login process. This is achieved by sharing the secret from an already signed-in app. In most cases, password-less authentication relies on the already signed-in app on a device to share the secret upon a request from an identity server. This signed-in app acts as a relying/trusted app for future logins from any other devices. For the password-less authentication to be working, the initially signed-in app have to use both username and password to sign in. So password-less is not truly password-less from the first login. Other ways of password-less authentication are done by sharing the secret through SMS and Email.
2) Two-factor/Multi-factor authentication – Apart from the usual username and password, there will be one or more additional validations before authenticating the users. Sometimes it is easy to confuse this approach with the password-less authentication, however, unlike password-less authentication the password is needed for every login attempt whenever a username field is requested for. The second factor of authentication is achieved by utilizing SMS or Email or Mobile apps or hardware that generates a one-time token.
3) Cloud identity – Rather than the enterprise maintaining the servers and software to manage identity, cloud providers like AWS, Azure, Google provide IDaaS (Identity as a service) for enterprises to manage the users at one centralized location. An added benefit of cloud identity is it’s easy to implement SSO across apps and define roles for users.
4) Federated identity – It is the most commonly used identity solution. In this case, identity management is not even handled by the hosted application or the enterprise. They rely on trusted third-party identity providers to authenticate on their behalf. It enables the users of one domain to securely access the data of other domain without having to replicate the identity of the same users in multiple domains.
5) Intelligent identity – One of a good example of the intelligent identity is Zero-trust architecture from BeyondCorp at Google. In this model, every request is first verified on the basis of the origination context. Every request adds several parameters like IP, location, session, etc and a context-aware proxy verifies it and determines whether to trust this request or not even before authentication. This eliminates traditional hacking technique like DDOS.
I will be happy to know more about your thoughts on the different types of identity solutions that you use in your application to improve the customer experience.