Today identity resides largely in individual websites with no interaction between them. Users have to identify and authenticate themselves to each site or service.
It would be good to have an online identity that would be recognized at multiple websites. It would provide a major advance towards a truly connected world. Businesses would be spared the cost of maintaining their own identity databases, and Internet merchants would gain higher conversion rates from enquiries to sales. Users would find it easier to do business with multiple sites by avoiding lengthy registration processes and by not needing to carry sets of credentials for every website they visit. The overall security of Internet transactions would be enhanced and there would be more scope for performing trusted and high-value web transactions.
Trust is key to viable identity sharing
It is relatively easy for an organization to enroll a person with whom it has a relationship with into its systems, and establish a mechanism for giving them appropriate access permissions. It is much harder to decide when to trust a third party that makes an assertion about the person. Liability for incorrect information is another stumbling block to establishing commercial identity services. How can we build a mutually acceptable business model around the supply and consumption of this identity service?
The exciting news is that, under pressure from the US government, which wants to advance its e-Government initiatives, the industry is formulating a 4-tier model for different levels of identity assurance. Standards are emerging from the OITF (Open Identity Trust Framework) and the OASIS ID Trust. The standards bodies are also specifying processes for authenticating and enrolling people at each tier. ISO 29115 defines trust levels in user registration processes. NIST SP 800-63-1 suggests authentication methods that are appropriate for each level of identity assurance, using single-factor and multi-factor authentication. The model is expressed in economic terms. NIST SP 800-63-1 also lists a spectrum of devices and their underlying technologies that can be used for each level of authentication. We now have guidelines covering identification, registration, and authentication for a multi-tier model.
Establishing the business value
The tiered model is crucial for the development of identity providing services. It not only gives assurance to relying parties – it also provides a basis for determining the value of each band of assurance. This provides the basis for a business model for the providers with an appropriate limit of liability.
Financially the only credible business model is for the organizations that use the identity services to pay the identity providers, as end users will be reluctant to use a service where there is a fee charged simply to log in. The advertisement funded model, which is so common on the Internet, is unlikely to provide higher tier services where costs are greater and volume of use is lower.
OpenID shows the way
The OpenID movement has specified the most interoperable identity service so far. There are 250 million OpenID identities in existence, and these are accepted at more than 10,000 websites. Its initial objective was to provide more convenient access to social networking service, and registration within OpenID is largely self-certified. Today OpenID is often used as a second level of authentication in addition to a proprietary registration and authentication process.
We need to extend this model up the trust stack.
Privacy and security concerns
The downside of Internet identity services is that they provide an accumulation of personal information in a single location, and a single point of operational failure. Privacy concerns must be addressed.
A person’s “identity” is much more than a name tag. It comprises a repertoire of personal information and a log of actions. When the identity provider participates in transactions between the individual and other organizations, its view of the individual grows significantly. It can track the person’s Internet behavior and relate this to the other identity attributes. Identity abuse by identity providers threatens security as well as privacy, involving the identity provider, a rogue employee, or a hacker. They could impersonate the identity subject in fraudulent or criminal transactions, as they would hold both the means of identifying and authenticating the victim. A rigorous code of conduct or a legal framework is needed to protect privacy from this new threat.
“Minimal disclosure” is a means of limiting disclosure to the parts of an identity that are relevant, under the user’s control. Under this scheme the identity provider provides a credential to the identity subject who controls its rationalization to exclude unnecessary information. The technical challenge is to provide a way in which this can be done without breaking the digital signing of the credential. Microsoft’s U-Prove has achieved this. It eliminates unnecessary proliferation of personal information across the Internet.
Find out more about online security in CIO Australia's Security section
Graham Titterington is principal analyst of information security at Ovum
Read about other open source plaforms in our open source category.
Businesses still wary of cloud says survey
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.