Delegated Authentication

Delegated authentication differs from federated authentication model in that the authentication authority delegates authentication yet again. It's a double-sided star system where the authentication authorities sits in the middle acting as a directory of sort.

Delegated authentication model is not appropriate for weak authentication uses. So I doubt we'll see banks pushing customers to some federated authentication authority whenever they click on the sign-in button. Where it makes sense is protecting high-value transactions with strong and/or multi-party multi-factor authentication.

As cryptic as what I wrote above may sound, the net effect is that a) consumers will be able to buy their favorite secure token at Fry's and use it to protect their bank account without worrying about whether the bank supports the device or not, b) banks of all sizes will be able to support a wide range of authentication methods cheaply, and c) strong authentication vendors will be able to market their products and services directly to consumers.

The biggest hurdle for delegated authentication is that the cost of fraud risk have already become part of the balance sheet. Risk exposure is aggregated and taxed horizontally so that finanical risk is shared as part of operating cost. The net result is that individual customers face minimal financial risk which leaves them little incentives to be interested in strong authentication unless they are required to use them by their banks.