The rise and fall of single sign-on

Back in the heady days of the turn of the millenium, our friends at Microsoft launched Passport, which was to be their Next Big Thing™. The big idea was to let everyone replace all of their user accounts, passwords and so forth with a single account managed by the Redmond beast. Single sign-on was the wave of the future, and would finally mean you didn't need to remember dozens of different login details for all the sites you visited. Initially it was used for all of Microsoft's MSN services, such as Messenger and Hotmail, but it was designed to be rolled-out to third party sites as well. Quite a few did implement it – see the writeup for a list as of 2001.

Of course, this was an idiotic idea. Who wanted to trust Microsoft with all of their personal information? Passport flopped, and was eventually changed to "Windows Live ID", focussed only on Microsoft stuff. Google Checkout has revived the "digital wallet" idea, but generally the whole single sign-on idea has crawled back into the niche it occupied before, used for authenticating several systems within the same organisation. The idea of a single account used to access hundreds of different web sites is pretty much dead.

But wait!

There is however an exception, a single sign-on system that is hugely successful, but most people have probably not heard of it unless they're students or academics, and even then it's unlikely unless they're in the UK. That service is Athens, and it's amazing. Operating since 1996, with 4.5 million user accounts at 2000 organisations in over 90 countries, it is used to manage access to over 300 different sites and resources.

The primary use for the service is to manage access to online journals and resources, such as Lexis-Nexis, Metapress, JSTOR and IngentaConnect. The main users are universities and other higher education establishments, but it is also widely used in places such as the UK National Health Service. It's also absolutely fucking fantastic. Attending a university in a different city from the one in which I live has been quite inconvenient, but it would have been a complete nightmare if it weren't for Athens. It lets me get access to journals from home without needing hundreds of accounts, or messing about with stupid stuff like VPN. Much easier than driving for 45 minutes to go to the library.

How does it work?

When a user visits a site that supports Athens, there is usually a little link next to the usual login form saying something like "Sign in via Athens". For example, see the sidebar at The user clicks on this link, which takes them to the Athens site. They then log in, if they're not logged-in already, at which point they're bounced back to the original site, magically logged-in. There are two kinds of user accounts on Athens - "Classic", and the shiny new Devolved Authentication (Athens DA), and the process of logging-in varies according to the type. With a classic account, every user is issued with an account username and password. With university accounts, the username usually begins with a prefix that represents the institution. For example, accounts issued by the University of Bristol begin with "bri". The user simply enters this username and password on the Athens site as you would expect.

Athens DA is a little more clever. A university user probably already has an account at their institution, for email and so forth, so wouldn't it make sense if this could be used? Also, as the user is gaining access via their insititution, wouldn't it make sense if it was that institution that was responsible for authenticating them? Well, yes, and that's what Athens DA does. Rather than logging-in using their own Athens account, the DA user is redirected to their own institution's site, where they log in. They are then redirected back to Athens where they are then logged in, and thence to the original site. Sounds complicated, but it's pretty transparent, and easier than having a separate account. Trust me, it's easier. For reasons that I'll explain below, this was trialled at University of Bath, which I attend, but is now rolling-out across the board and is currently used by around 70 organisations.

So who's behind this?

Athens is a service provided by Eduserv, a non-profit company based in Bath, UK. The company was formed in 1999 from CHEST, the organisation that negotiated all the subscriptions and other electronic resources for UK universities, and NISS (National Information Services and Systems), which were based at the University of Bath. These had previously been responsible for the Athens service among other services. Eduserv is now an independent company based in its own premises in Bath city centre, and provides all kinds of IT services to educational organistions in the UK. Athens use is pretty much universal in UK higher education, but it is not restricted to the UK. Organisations all over the world also use it, but it is far less widely used in other countries - for example, there are only five universities and around 20 health organisations in the US which are members. More fool the others.