It has been pretty quĂet around the VIP (VeriSign Identity Protection) solution. I have played around with that solution some two years ago, when support for eBay and PayPal had been added. But after that I didn’t see much of VIP (and didn’t hear much of VeriSign, honestly). Until these days, when TriCipher and VeriSign announced a strong authentication solution for Google Apps. They call it “triple-sec” given that three different factors are used – the two provided by TriCipher and an out-of-band authentication based on VeriSign VIP Access for Mobile.
VeriSign VIP Accessfor Mobile is in fact an OTP (one time password) generator which runs on mobile phones. Overall, a strong authentication can be achieved that way for TriCipher’s MyOneLogin service which is the tool used. MyOneLogin is a cloud-based SSO solution for other (external) cloud or SaaS services which uses SAML to provide authentication information to Google Apps Premier.
The VIP support is offered for free for Google Apps Premier customers – as long as they use the strong authentication only for Google Apps Premier. If they’s like to extend this to other apps, it’s not free anymore. Anyhow, this is at least an interesting solution for companies who rely on these cloud services and require an relatively easy strong authentication solution. For sure you’d have to accept that you need your mobile phone in addition but the alternative would be to rely on some soft-token approach or to carry another token or device to support strong authentication.
Besides the fact, that the “for free” doesn’t last long in practice, given that most customers probably will secure other apps as well, the biggest question from my perspective is whether a cloud-SSO for cloud only (more or less) is the solution of choice. Customers which further rely heavily on internal (and non-web) applications might benefit more from a traditional E-SSO approach supporting internal as well as external applications of any type. However, integration of these tools with applications like Google Apps typically relies on traditional exchange of username/password in the background instead of the more advanced SAML approach provided for example by MyOneLogin. With other words: There are other options, but at least the TriCipher/VeriSign offering is an interesting approach worth to have a look at.
To learn more about what’s going on in the “cloud”: Attend the Kuppinger Cole Cloud 09 conference, December 2nd-4th, Munich.
Martin,
There are a few points I thought it would be useful to expand on.
1. myOneLogin supports apps that dont provide federation. We manage ids and passwords for these sites. Many of our customers give their users a myOneLogin account configured to never let them see the user ID and password that is being supplied to their apps. Among the many benefits of this approach is that it eliminates account/pw sharing. Of course this approach isnt necessary if the web app supports SAML.
2. As you point out, we provide three factors, a confidence image, a browser cookie or certificate that provide 'clientless' mutual strong authentication , and the VIP mobile token. Customers can rely on our clientless methods on machines they work from regularly, while using the VIP mobile factor when roaming e.g. from public machines.
3. Internal apps that are already accessible through an SSL VPN are easy to include in a users myOneLogin portal. Juniper's SSL VPN support for SAML makes it easy for myOneLogin to provide secure access to external and internal apps.
4. myOneLogin can validate users against internal user stores (e.g. AD, LDAP) with our Directory Services Proxy (DSP) module. This module can also be used by an enterprise to generate and consume SAML – which relieves the enterprise or (service provider) from the effort necessary to implement their own SAML support..
Jon