Single Sign-on Startup Opportunity Has Passed

For as long as I can remember, computer users have been complaining about the array of names and passwords required to get work done – a different unique user identification name and password are required to start the computer, email, social networks, banking, read online news, connect to the office, or check your phone bill.

Computer jocks all fantasize about having one magic password or bionic finger that will eliminate the “sticky notes” that normally line the displays of avid computer users. So why hasn’t this problem been solved long ago by the many experts, startups, and “solutions” already out there?

Certainly this is a challenging technical problem, if you look at the problem in a macro sense:

• Must accommodate existing applications with proprietary login functionality
• Enterprises expect a solution across disparate old and new platforms
• At least two authentication technologies are competing: Kerberos and digital certificates
• Multiple levels of security required – sign in to instant message vs transfer funds
• Passwords have to be changed often, and increasingly non-trivial to foil hackers and bots

But I suspect the real problem here is that the dream of a “one size fits all” solution simply doesn’t make sense. It’s sort of like the people who think all cars, or even all vehicles, should operate and drive the same. It won’t happen, for some very pragmatic reasons.

What will happen and should happen is that sign-on will get more automated, more intuitive, and better remembered across relevant access domains. The alternatives out there now have come a long way:

• Early hardware solutions involved plugging in a USB “dongle” or security token which had a unique hardware id that could be automatically polled and associated with your unique sign-ons. Matrixlock, Senselock, and UniKey are among the popular vendors even today.

• Later came a flood of software packages that stored an encrypted version of your userids and passwords on your hard file. These are essentially an automated and secure version of the post-it notes, and include names like KeePass and Mitto.

• My laptop has a built-in fingerprint sensor that can be easily set up for a specific password when “swiped.” IBM invented this, but most others have it now also. Secure Services Corporation has a software implementation that uses biometrics.

• There are numerous single sign-on products on the market, such as PassLogix, AccessMaster, Entrust/SignOn, MetaPass SSO, OneSign, and SecureLogin. These typically take some integration or special setup to work with existing applications.

• The latest type of solution is called a “web profile aggregator” built as a portal to a group of similar applications or premium content which can be accessed through a common login. Examples include FindMeOn.com, Mugshot, and Naymz. A new one I have used is called iLogon.

As Web 2.0 takes over the consumer world, and Software as a Service (SaaS) finds a place in the enterprise, this problem gets easier. My goal is to get down to a half-dozen logons and passwords, or even just a single sticky, and with the tools above, I’m almost there. I’ve already eliminated the unencrypted text file of passwords on my laptop.

From my perspective, a half-dozen variations is about right, to match the different types of applications and security required. So let’s forget that fool's gold for startups to think that they can achieve "single sign-on" capabilities for their users. I think it’s time to add this one to my list of startup opportunities whose time has come and gone.

Marty Zwilling