Enole: Single Sign-on for the Real World

Your phone may soon be all you will ever need to carry around. Up until now, your online identity and the real world hasn't mixed. We have ways of authenticating offline and different methods online. Enole is trying to fix that, with an uncomplicated RESTful Web Service that enables developers to store user details alongside a mobile device ID.

In everyday life we authenticate ourselves with any number of different tokens: Offline, perhaps a swipe card for the office block, a credit card, a house key. Online, loads of username and password pairs. All of these items are a token of your identity: they represent you, and because you are the one with the token (or key), it’s assumed that you should be allowed access to whatever it is that the key unlocks.

Online, we’ve gotten to the stage where all of our keys can be bundled into a single online identity and this one identity can be used to grant access to many services. The most common facilitators of this being OpenID and certain services that have been built on OAuth. There’s no such thing for the real world. We have a billion loyalty cards, rings of keys, and no way to “Like” anything at the superstore. But if you can associate a physical entity with an electronic identity and validate these, you could successfully identify a person and their associated data by a physical item--their phone, for example.

Enole's new API brings the lessons of online identity to the real world. Your data is retrieved as part of an Authentication request (via JSON or XML) by a service provider. The service provider could require you to use an app on your phone that connects via one of your devices wireless connections to a nearby terminal. The terminal would then authenticate you by looking up the address of your device against registration details on Enole’s servers.

According to Aaron Knoll, Co-Founder and CTO of Enole, privacy is paramount. Using modern Encryption methods, the company plans to store user data so securely even they can’t access it. Making sure services are strictly opt-in means no unwanted abuse of user’s mobile devices. And in case your phone is stolen, remote opt-out closes the security loop.

The team have obviously given this a lot of thought and doubtless plenty of elbow grease too. Learning from the authentication needs of the web and providing a working solution that allows single sign-on to work in the real world could be a real game-changer.

Enole are currently running trials large and small, prior to a full public release. It’s likely to be a subscription service, but firm pricing plans are yet to be announced.

via GigaOm

Be sure to read the next Security article: Twitter Basic Auth Will Truly Disappear August 30