Everyone who uses computers suffers from Identity Fatigue: the frustration that arises because every new product and service they access on the internet demands a new user ID and password. With all that is happening in the IT world – virtualization, consumerization, deperimiterization, mobilization – identity management is a growing problem.

All of us who do things with computers have two conflicting security goals: confidentiality and availability. We want to be able to access the services we need, and we want our data to be secure. But today’s multiple online identities pose a serious challenge. Do we stick to the same username and password? We won’t forget them, which means we can easily access the systems we want, but there is the obvious security risk that if one system is breached, so are all the systems we use. Do we use different usernames and passwords? Clearly this provides better protection, but to remember them all we will probably have to compromise security in other ways, such as writing them down or signing up for cloud-based password storage services.

Coupled with the growing awareness of cyber security threats because of a number of high-profile data breaches, people are starting to become both frustrated and rightly concerned. Yet at the same time the social media are showing how things could be easier. If you have a Facebook account, you can sign on to Facebook and use your Facebook identity to connect to hundreds of Facebook apps without logging on to them. Similarly, your Google identity can give you access to other services on the internet. Those of us in Enterprise IT can learn from the emerging power of social identity.

In conducting the research on Next Generation Identity Management, I have found that extraordinary benefits can accrue from a switch from the present enterprise-centric approach to a user-centric identity management approach. Yet there are also pitfalls. The design of user-centric identity services can stand between you and those using the services you provide, and the threats from targeted attacks continue to grow.

There are a number of key identity, entitlement and access management decisions that we in Enterprise IT will need to make in the next decade. What approaches will both better protect data and enable employees, partners and customers to benefit from the shift to user-centric identities? Will we try to retain control, or will we give the people who use our services control of their own identities? How will we manage entitlement? Could we perhaps eliminate passwords?

These are the issues that we are exploring in our identity management research process.