Image via CrunchBase
In the weekend, Meebo, along with companies like Google, Yahoo, Myspace, Disqus, Janrain, etc., announced the release of an open identity platform called XAuth. For Meebo, it gives an option to make their Meebo Bar more relevant among the publishers. For Google, this gives them another stick to beat Facebook Connect and Twitter’s identity system after they botched their OpenSocial plans. For users, this is supposed to give a better user experience with online authentication systems as it taps into the web services they use the most. In this post, I am going to briefly discuss about this new platform and see how it affects the SaaS users.
Definition Of The Problem:
One of the unique characteristics of the SaaS world is the mushrooming of vertical SaaS applications. Unlike the traditional software world, SaaS vendors focus on one niche area and do it well. The low cost of setting up a service in the current cloud based world has contributed to the mushrooming of services across many different verticals. This has lead to serious problems for both individual users and business organizations in terms of their identity and management. The problems range from issues like how the users’ are going to manage multiple usernames and passwords to how enterprises can ensure the credibility in authentication, authorization, etc.. Essentially, identity problem has become the biggest speed bump for the SaaS adoption.
From the individual users’ perspective, the myriad of SaaS applications poses a big problem with the handling of usernames and passwords as they have to remember too many of them. From an enterprise perspective, not only the proliferation of multiple usernames and passwords a big hassle, it also tears down their security because there is no way for them to enforce their security policies in this situation. On top of it, enterprises have to take care of regulatory requirements related to user access and any access to critical information. For example, Sarbanes-Oaxley requires an enterprise to implement stringent policy, processes and audit to regulate employee and non-employee access to critical business information. This makes SaaS identity problem a difficult one for the enterprises. In fact, this problem has turned away many users from SaaS, making this one of the most urgent problems facing the SaaS vendor community.
This is not just an issue of handling multiple identities but also an issue of lack of interoperability and presence of data silos. The lack of a single identity system to tie up multiple SaaS vendors/services makes interoperability and integration a more difficult problem to solve.
Potential Solutions and related issues:
One of the solutions is the federation of identity services. SaaS providers could outsource the identity and its management to third party providers and focus on their core competency. This way they could offer better rich functionality in their applications and better security. A federated system allows SaaS vendors to deploy stronger authentication, give SaaS users a choice of identity management services for authentication and, also, a way to enforce their authorization policies more effectively. There are many ways of doing implementing such a system, from a centralized provider like Facebook Connect to a more distributed option like OpenID.
Some users and organizations prefer a centralized approach because it is easy to use and manage. Plus, they will have a single throat to choke in case of a problem. However, this approach puts the user (or organization) at the mercy of the identity providers and it doesn’t bode well from a risk reduction perspective. On the other end of the spectrum is the OpenID, a distributed approach to identity and management. OpenID and OAuth could turn out to be the kind of solution we are looking for to solve the identity problems and interoperability issues. OpenID provides a single identity for the users with a distributed authentication system and OAuth provides a way to give access to users data without giving any access to the identity information. A combination of these two could offer a reliable and more secure authentication for the SaaS applications. However, the user experience with OpenID is very bad compared to, say, Facebook Connect. It leaves a lot to be desired and, hence, relatively lower adoption than what many originally envisioned.
The problem with OpenID and OAuth based implementations is that it is too daunting for average users. They are both overwhelmed and confused by the choices offered to them from a myriad of identity providers. This discourages them from using SaaS based applications even though they don’t have to create yet another username and password. In fact, the difficulty with OpenID based implementations also poses considerable problems for enterprises wanting to implement an OpenID-OAuth based system for their users.
XAuth to the rescue?
XAuth is being pitched as a perfect solution to solve this problem. XAuth stands between the identity provider and SaaS applications and offers the users just a handful of identity providers based on their usage patterns. By observing the services they access regularly, XAuth offers the identity system of the most used services. This cuts down on the confusion and offers the users the service they are comfortable with. This solution greatly simplifies the identity management and has the potential to make SaaS interesting to them. In short, XAuth could increase SaaS adoption because
- It greatly simplifies the login experience of users by offering them to use the providers they are already using regularly
- Being open source, it makes it easy for SaaS vendors to implement XAuth
However, there is one potential problem that could make XAuth a non-starter. The way in which it observes the access patters of users is really creepy. It has the potential to create a backlash from the users. However, users can disable it completely by visiting XAuth.org from their browser. Personally, I would have preferred an opt-in mechanism rather than an opt-out mechanism. But I don’t see it as a roadblock either. We saw how user backlash on Gmail’s implementation of contextual text ads vanished once users started experiencing the superior user experience of Gmail. If XAuth manages to offer the users similar satisfying experience, their concerns about privacy will eventually go away.
if done right, XAuth could make SaaS more palatable to both consumers and enterprises. But, it is too early to predict how it will turn out. XAuth is not the miracle pill needed to solve the SaaS identity management problem but it is a neat trick to enhance the user experience. I would love to hear from the SaaS vendors to learn more about what they think of XAuth and whether they consider it to be part of their future plans. Feel free to post your comments or send me an email.
I am both a consumer and IT security analyst and I don’t like this solution one bit. It does nothing to solve any real user issues (I don’t know anyone who has problems using Facebook Connect) while increasing the amount of data collected about the user. If, as you claim, consumer find OpenID too difficult how much more difficult will it be for them to understand how to disable XAuth?
I could see why you don’t like this as a security person. But I don’t agree that users will find it difficult to understand how to disable XAuth.