The new tone of “Identity Governance“(with a small g-Credit to Geoff), is stepping in as the new sheriff of the language marketing game. Kind of like what “Cloud” did with aggregating storage area network clusters with unused parking data spaces. No offense.
Identity Management (IdM) the ‘It Doesn’t Mew’ anymore acronym. That once known 25+ year old industry coined term has occupied my life since 2000. That terminology to me just doesn’t have that same Mew to it these days. Maybe we just need more “Cowbell”
In this case it’s acceptable to gently speak that “G” word as it relates to preventing security breaches or the recent cleaver social engineering tactics against Verizon. Incorporating governance of enforcing identity security polices is not commonly practiced while it is being discovered as commonly important.
The basic principles I’m accustomed with is first ensuring a core Identity is bound to personal identifiable information (PII) from an HCM system that can be authorized by a centralized Identity Store. Just create them an easy to remember ID and password then tell them not to share it with anyone. Of course it’s abstracted through a REST Web Service over encrypted and authorization channels – Oracle API Gateway is a cool tool for that!
Secondly, which Steve Jobs would argue as first, is allowing the user to have the ultimate friendly experience with a rich set of self-service controls and of course secure. Ever used online sites that limit the usability with creating “Logins” or “Accounts” to gain access to their site? They may have enforced you to select 1 of many bad questions to answer? Password Reset time…Who can really remember what street their grand-parents grew up or what you did on new years of 2000?
Where’s ole’ SAML 2.0 hiding? It’s still around and kicking while I see the concept of federation dangling, just not the protocol. What’s really become fascinating to watch is how the big social sites are leveraging next generation protocols like OAuth for authentication of the “one login” approach. The idea is authenticating your access from third-party identity providers into a remote system (service provider) without traditional credentials like a username/password. It’s really convenient for registration of sites too when you’re not asked to fill in those long sets of questions.
What about that dreaded messages “Sorry, that username is in use”? I know…this has been around since 2006 however the “mobility first” mentality has only taken off in the past couple of years. Especially since we now wear them on our wrists to bed to monitor our sleep patterns or to never miss that call again.
Need an easy two factor approach? I personally use a tool called “CLEF” for authentication to my web sites which allows me to never use an ID or Password again. Just enter a 4 digit pin (what I know), point the camera to the screen (what I have) and Bam, I’m in!