Some questions that people might ask have come to mind as I've started thinking about this stuff. Here's the first:
Why can't I use Twitter to log into my intranet at work?
There are a few things preventing this from being possible. Although using existing logins makes life easier for the user the people who provide the systems have justified concerns. (Jargon sidenote: authentication is checking you are who you say you are. Related is authorisation which is checking what you're allowed to do. A service provider is a system you are trying to use.)
So if I'm a service provider running the intranet and the users are asking to use their twitter account, here are my concerns:
- I know that Fred Bloggs is an employee, but how do I know that @FredBloggs (who seems to be doing quite well making money at home) is the same person?
- Even if I do verify that, how can I be sure that Fred Bloggs twitter password isn't easy to guess? If Twitter's password policy is weaker than our existing password policy, then it's like putting a big lock on the front door, and leaving a side window open. Judging by the number of people who have their Twitter accounts hacked, their password protection isn't that strong.
- Even if Twitter's policies are good, then say they remove your account after 6 months of inactivity and someone else signs up with the same username. They the other FredBloggs can log into your intranet even though they aren't an employee.
So when your equivalent of the point haired boss comes up to you and says "I think we should build a Federated Identity system", you could ask him what colour he wants it, or ask him about identity assurance.
Edit: Here's the cartoon that Giddie mentioned below:
Edit: Here's the cartoon that Giddie mentioned below: