If the progress of the past 12 months is any indication, 2014 is poised for another jump forward in identity. In 2013, there was movement on many fronts. Acronyms gained awareness: MFA, IoT, API, REST, JSON and JWT. OAuth was approved and OpenID Connect neared its finish line. The duo provides a foundation that will influence 2014 identity developments in mobile, cloud, access control, federation, infrastructure and identity hubs.
The millions of passwords stolen in 2013 at sites ranging from Adobe to Facebook to GitHub may have rattled just enough end-users, service providers and online retailers to finally swing the needle closer to security and further away from convenience.
With all these developments in mind and a few more, Ping's CTO office has put together a list of seven predictions for 2014. In no particular order, here they are:
1. Multifactor Meets Usability
Mobile-based MFA will become increasingly prevalent, and its quality will improve. Everyone and their mother seems to have a neat little authentication system that leverages mobile devices, but in 2014 those that are more facade than foundational will be culled from the herd. This interest in MFA is the start of something bigger and will eventually dovetail into another trend, Things as a authentication factor. 'Something you Have' for authentication will be more and more enabled by Things whose primary purpose is not authentication, e.g. wearables like Fitbit Flex etc.
2. Bring Your Own Identity on the rise
Use of social identities within the enterprise will increase, especially when combined with MFA, a pair that will define the "trust factor." Use, however, will be governed by identity level of assurance (LOA) requirements. Social identity will be fine for resources that require minimum LOA, anything higher will demand a step-up to another identity type - perhaps company issued or approved.
Continuous authentication improves the identity assurance level of the session at authentication time, but also during the course of the session. Enterprises will begin to move away from assuming a static and constant level of assurance for an authenticated session. Combined with modern identity proofing mechanisms and local mobile biometric authentication, continuous authentication will decrease costs and increase usability. Explicit login events will become less common, i.e. you won't be asked to authenticate as much. But the flip side is that when you are asked to login, it will be more burdensome.
4. Federation at scale
Both business and technology limitations will present themselves to companies that attempt to use traditional static connections to scale federation with thousands or even hundreds of partners. Federation at scale will begin to incorporate technology such as Trust Frameworks, Multi-Party Federation (e.g., InCommon), Centralized Proxy architectures and Metadata Peering. Look for a combination of all or a sub-set of these techniques to emerge as an answer to scaling federation.
The list of identity vendors solving one or more IAM issues is getting broad and deep. The list will shorten in 2014 as consolidation puts some of these players under the wing of more aggressive or established identity vendors. Mobile authentication, password management and cloud SSO are some of the areas where competition is fierce and where these single solutions will crack under the holistic demands of enterprise buyers.
6. Identity becomes a fundamental discipline of cloud security
As the expanse of identity and access management requirements becomes clearer to IT, look for IAM to finally acquire its rightful place at the security world's adult table as a recognized and core tenet of acceptable cloud security. The annual RSA Conference in February, the Cloud Identity Summit in July and the Cloud Security Alliance Congress in December will add momentum to this transformation.
7. Standards-based user provisioning finally arrives
Services in the cloud are exploding and creating a need for provisioning that is approaching critical mass. The answer lies in the standards-based approach known as the System for Cross-Domain Identity Management (SCIM). SaaS vendor adoption will bring SCIM into the spotlight as those vendors implement the basic automated user management capabilities SCIM 1.1 addresses. Salesforce's adoption of the standard will drive the trend.
What are your predictions for Identity in the coming 12 months?
What impact will developments like NSA spying have on the evolution of the technology? How about the Internet of Things trend? What other events may play out in 2014? Tell us what you expect.