A government-sponsored consortium of state and federal agencies, banking companies, technology vendors, and others is hoping its attempt to develop rules for single-sign-on authentication will finally drive the concept into widespread use.
Other attempts to develop a way of letting people log on to one Web site and then visit other password-protected sites without signing in again have failed to take hold in the market.
Participants in the Electronic Authentication Partnership said that having the backing of the government could give its efforts more traction in the industry.
The Electronic Authentication Partnership announced its 16-member board of directors on Monday.
They include executives from Wells Fargo & Co.; BITS, the technology arm of the Financial Services Roundtable; the Mortgage Bankers Association; and representatives of federal and state governments and of Microsoft Corp. and Sun Microsystems Inc.
Among the group's members are nearly 150 government, financial services, and technology groups, as well as several other major industries. They include ABN Amro Services Co. Inc., the American Bankers Association, eBay Inc., National City Corp., Sallie Mae Inc., University Bank, and Wachovia Corp.
"One difference is the active role that the federal government and state governments are playing in this," said Elliott C. McEntee, a member of the Electronic Authentication Partnership's board and the president and chief executive of Nacha, the electronic payments association.
He said the initial motivation came from various government groups that were looking for a way to determine if they could trust authentication from nongovernment organizations. The effort has since expanded to cover any group that wants to know whether electronic credentials issued by another organization are reliable.
The ultimate goal is to make it easier for people to conduct business on the Internet by simplifying the process of initiating transactions and by giving companies more trust in the people at the other end of the network.
When the consortium announced itself, in December 2003, it said it planned to start work in February 2004 on a specification for evaluating credential and that it hoped to spend six to 12 months on the project. Apparently it is on schedule; the group said Monday that it plans a series of pilot tests for the "trust framework" it has developed.
"There was a widespread belief that technology was the barrier to more widespread acceptance," Mr. McEntee said in an interview Tuesday. "It's really been the business case and the business operating rules that have been the barrier."
Nacha has provided services to get the organization off the ground, contributing staff and coordinating the planning under a contract from the General Services Administration.
The effort could get a boost from the growth of online fraud. The spread of phishing and other forms of identity theft has called into question the protection offered by the traditional user-name and password log-on process.
It has also resulted in regulator pressure on bankers to tighten their online security measures. In December the Federal Deposit Insurance Corp. urged the industry to consider upgrading its log-on procedures, and recommended more cooperation among banks, government agencies, and technology providers. The agency is developing new security guidelines and has asked banks to submit comments.
James Lewis, the Electronic Authentication Partnership's interim chairman, said the group wants to clarify the responsibilities of different providers in the authentication procedure through a three-stage evaluation of how trustworthy a given digital credential may be; how the credential is issued; and by whom it is issued. (The group calls the process interoperable authentication.)
Eventually, Mr. Lewis said in an interview Tuesday, companies that authenticate users could be assessed so that others would know how much trust to put in the companies' credentials.
"The problem with authentication isn't technology. The problem is the lack of common rules, common standards, so people can understand what others are doing," said Mr. Lewis, the director of the technology and public-policy program at the Center for Strategic and International Studies in Washington. "You have to find ways for different authentication systems to cooperate if you're going to move ahead."
He said the group expects to begin some demonstration projects by midyear.
Microsoft tried to develop a single-sign-on capability with Passport, which was originally conceived as a centralized password repository. Microsoft still offers this application, but it is used primarily to access Microsoft services rather than Web sites operated by multiple companies.
Last month eBay dropped its support for the Passport authentication system, citing concerns about password protection.
Sun, a Microsoft rival, was one of the main backers of another well-publicized single-sign-on organization, the Liberty Alliance, which was formed in 2001. Sun's executive on the Electronic Authentication Partnership's board also represents the Liberty Alliance.
Chris Musto, a research vice president at Watchfire GomezPro in Waltham, Mass., said that shared authentication today is largely limited to bilateral arrangements between providers. One example is when a bank provides online banking in-house but enables customers to click through to a third-party bill-payment site without logging on again.
"Currently there isn't much call for shared authentication between sites," Mr. Musto said. "There isn't that much user demand for it."
He called the concept "ahead of its time" but said it still is a good idea for companies to work on it, given increasing pressure on banks to tighten their security.
