The Financial Services Technology Consortium, a financial-services research group, last week praised two identity-management proposals, Liberty Alliance and Security Assertion Markup Language, for sparing customers the chore of maintaining multiple sets of IDs and passwords. By supporting single sign-on, Liberty Alliance and SAML have the potential to advance Web services initiatives, the FSTC says.

Web services--online applications that invoke other applications via standard protocols--now require that users authenticate themselves to each application, analogous to someone having to present a building pass at the front entrance to a building and then again at the elevator, the office door, the lavatory, etc.

SAML, an XML-based specification of the Organization of Structured Information Standards, defines messages known as assertions containing information such as whether a person has already authenticated himself and whether the person has authority to access a particular resource. By exchanging assertions, online applications verify that users are who they claim to be without requiring them to log in.

Liberty Alliance, a 2-year-old project backed by 170 companies, has published a set of technical and business guidelines for a "federated" identity model in which the user logs in once at the beginning of a transaction and SAML assertions provide authentication at the intermediate stages.

By enabling companies to automate the task of authenticating customers, employees, suppliers, and partners, the Liberty Alliance and SAML remove an obstacle to the adoption of Web services. Web services' potential can't be realized until organizations can manage trusted relationships without human intervention, says Michael Barrett, president of Liberty Alliance and VP of Internet strategy at American Express.

A four-month review by the financial consortium concluded that Liberty Alliance and SAML have the potential to quell consumer fears over identity theft. The review was backed by Bank of America, Citigroup, Fidelity Investments, Glenview State Bank, J P. Morgan Chase & Co., National City Bank, University Bank, and Wells Fargo Bank.

Although banks have moved to protect themselves against attacks from hackers, viruses, and network sabotage, they've been poor at communicating the steps they've taken to protect customers from online fraud, says George Tubin, a senior analyst in TowerGroup's delivery-channels service.

Fear of identity theft has stymied adoption rates of online services such as account aggregation, which lets wealthy individuals and their advisers view accounts at multiple financial institutions on a single Web page. For example, Yodlee Inc., a software company whose aggregation technology is used by banks and portals such as Yahoo, gathers account information from financial institutions by logging on to their Web sites using the account holder's ID and password, then either screen-scraping the data or getting it via a direct data feed from the institution. While the account holder explicitly grants permission to Yodlee to use his or her IDs and passwords, banks have no way of knowing whether it's Yodlee or the account holder who's logging in.

That's scary for banks, especially when they're faced with laws aimed at squelching identity fraud. For example, California's new Security Breach Notice Law requires businesses to notify customers whenever personal information stored in a database has been compromised. "That's a tough regulation to comply with when you've got aggregators logging in to banks impersonating end users," says Mike McCormick, a systems architect at Wells Fargo and a member of the FSTC's Security Standing Committee.

Under the federated model, authentication is performed by the financial institution, not Yodlee. Instead of logging in to a bank's Web site using a user's ID and password, Yodlee receives an assertion from the bank that the user has already been authenticated. Says Schwark Satyavolu, chief technology officer at Yodlee, "The FSTC is looking at eliminating the need for end-users to share IDs and passwords in order to get the benefits of account aggregation."

Performance and compatibility issues with SAML and Liberty Alliance still remain. SAML compliance doesn't guarantee interoperability, the FSTC says in a report, "Identity Management in Financial Services." Robust session management isn't addressed by SAML/Liberty Alliance and must be handled in other ways, the report notes.

Since the publication of its phase 2 technical specification earlier this year, Liberty Alliance has devoted itself to addressing the business requirements of the federated model. "Now that our technical work is under way," says Liberty Alliance president Barrett, "we must help facilitate adoption of federated identity across industries."