Amazon and AWS Moves Further Validate The Value Of Portable Identity

Social sign-in has become a powerful force for marketers and consumers, validating the notion of federated identity in consumer-facing contexts. (Ironic that consumerization of IT is successfully tackling even the single sign-on problem that has bedeviled IT, showing how identity for the top line of the business can overcome resistance in ways that business-to-employee scenarios typically can't.)

But not all consumer-facing federated SSO is social. When I was with PayPal, our team worked on the underpinnings of what eventually turned into Log In with PayPal, which is strictly about federated identity flows for commercial purposes. And today Amazon has come out with Login with Amazon, a powerful statement of Amazon-as-identity-provider. They've been testing this with their own web properties Zappos and Woot; now they're enabling third-party merchants and other sites to use Amazon for authentication of people who already have active Amazon accounts, along with learning a few selected user attributes: name, email, and optionally the zip code of the default shipping addresses. No huge social graphs here, just data that partner eCommerce sites need to function (and make money).

As I discussed in my Outsourcing Identity Assurance research a while back, consumer-facing federated identity puts the focus on volume and the business upside therein, not (formal) verification. Active Amazon customers, numbering 200 million, are already online purchasers. That's super-valuable to merchants considering the relying party proposition, even though it's entirely outside the various government efforts to support "trusted identities in cyberspace" for more and safer eCommerce.

Where is all this going?

  • Consumer bring-your-own-identity is going to tie ever more closely to online wallets. PayPal's offering is mature enough to include a seamless checkout option for merchants; Amazon will eventually need to go here as well. 1-Click for third-party purchases tied to Amazon login and backed by AWS-fueled fraud management, anyone?
  • Federated login is going to become as common as local account login for social, commercial, and citizen-facing use cases. In some cases, this will mean "NASCAR" login interfaces with a sea of IdP logos; in others, such as with Amazon and Zappos today, you the customer will get a single choice, like it or lump it. In the former case, we're going to see "Forgot your IdP?" as often as "Forgot your password?" (On this topic, stay tuned for new research we've got coming out on customer-facing authentication, which discusses the usability/security challenge.)

Separately, Amazon Web Services came out with interesting identity news of its own, unveiling something called Web Identity Federation as their answer to the challenge of propagating end user identities into developer/application/API contexts. There's now a lot of identity and credential data being flung around in cloud and mobile situations; let's try and tease them out. In my recent report API Management For Security Pros, I presented this diagram:

Managing credentials and access in an API ecosystem

AWS already knows about developer and app identities (the entities in green), but the actual end user of the app (the entity in orange) may not be known yet. In fact, that person may not even have an Amazon login, much less AWS credentials. So Web Identity Federation is its bid to enable inward propagation of the end user's chosen identity (which could be hosted by Amazon or even Facebook or Google – yes, AWS is becoming an equal-opportunity relying party) for proper access control, personalization, and so on. A new Security Token Service (STS) API helps manage all the cross-domain "flinging." It's good stuff, and about time; this was becoming a competitive catchup issue. Microsoft's Windows Azure already has a fairly well thought-out answer to this problem.

What to take away from this news, then?

  • Zero Trust run-time identity propagation will be the name of the game for all cloud and mobile services. We can no longer tolerate IAM silos for different purposes and populations; there's no such thing as a B2C or B2E identity in isolation anymore, and now we have to account for B2D (business-to-developer) identity too.
  • Emerging standards have set the bar for cloud platform security and identity. These standards, heavily leveraging OAuth and JSON Web Tokens, are the lowest-cost way to do serious, agile, mobile-friendly security and identity. Don't stand for any less.

Comments

Convergence of Identity and eCommerce

Great post, Eve. I think you're spot on that the next logical step for portable identity within certain industry verticals is a convergence of identity and eCommerce or payment. PayPal, encouragingly, sees the opportunity and I expect to see other identity providers move in that direction in the future.

To your other point, we are already seeing preference for social login outweigh traditional account creation and registration on websites. Many of our own customers are offering social login and traditional registration side by side, and finding that a majority of visitors are choosing to register using an existing identity from one of the large social, email and commerce networks (Facebook, Google, LinkedIn, Twitter, PayPal, etc.).

If you look at how the landscape has evolved over the years, the technology has evolved to solve the "forgot your IDP" challenge, by using cookies or local storage to remember a consumer's preferred identity provider on return visits to a site, and "hiding" the other identity providers from the login interface. You can see an example of this here -http://janrain.com/wp-content/uploads/2013/02/5-social-login-return-experience.png.

Michael Olson
Product Marketing Manager
Janrain (http://www.janrain.com)

keeping them out

so how do we keep the bad guys out of our hard drives. Or will those be obsolete. I knew I had a serious problem when I jokingly named my encrypted Ubuntu disk "This machine fights fascists", crashed and burned the OS and gave it another name, and then six months later find my wife's hidden disk contained the name on the disk as "tHIS dISK fIGHTS fASCISTS". I've got some really good clues who it was, but nobody that lives here. But how do we stop that kind of no good snooping.

Account registration and management 2.0

Hi Michael-- Thanks for writing in. If ever we needed a reminder that individuals favor convenience over just about everything else, silent (or nearly so) registration into websites with social login provides one.

I gather JanRain has announced support for Login with Amazon already (and I know it has supported Log In with PayPal for a while :-). These types of integrations are happening faster and faster all over. Identity singularity, here we come...