I have noticed lately that more and more customers start asking questions about how to implement X.509 certificates for authentication and Single Sign-On.
What an interesting development!?!
X.509 certificates were invented as digital identities to secure web applications, but did never really take off, because you need to set-up a quite intensive and costly administration in form of a Public Key Infrastructure (PKI) to roll-out and manage certificates. Instead most customers relied on user + password authentication or moved to newer and modern approaches like SAML and OAuth, albeit this has been more adopted in North America than in other regions.
Why do digital certificates suddenly start to become so popular?
Reasons will be manifold. I speculate the following:
X.509 certificates can be used in the web world, but there are some fat clients and non-web technologies that support digital certificates as well. SAML and OAuth only work in the web.
SAML requires what a security administrator might call a rich request and response protocol, which makes it practically unusable for mobile applications. Since there are tools available to deploy X.509 certificates on mobile devices, they have really become a good and secure choice to authenticate on mobile applications.
SAML requires the setup of Identity and Service Providers which in itself is not too cumbersome, but although you have cloud offerings, you still need to do the configuration. And if I have to configure anyway, why not configure a PKI and use X.509 certificates?
If a company wants to avoid administration and configuration as much as possible, there are technologies available where they do not need a PKI, but can generate short-lived certificates on the fly, which is impossible with SAML.
My gut feel is that customers are looking for the one security token that fits most of their end-user scenarios and if I look at the list above X.509 certificates definitely allow for a vaster coverage range while requiring a similar amount of configuration.