Part A: Federated Identity: Easier said than done
In response to cyber crime and the password plague, there has been a near universal acceptance of the idea of federated identity. Sharing identities is intuitively appealing. If you have invested time and effort getting identified by one service provider, you should be able to re-use that identification with other services.
Federation should save time, streamline registration, cut costs, and open up new business channels.
And yet federated identity has stalled. True, we can now enjoy the convenience of logging onto multiple blogs and social networks with an unverified Facebook or Twitter account, but higher risk services like banking, e-health and e-government have steadfastly resisted federation, maintaining their own identifiers and sovereign registration processes. Many promising initiatives have sputtered on the launch pad, promising technologies like Cardspace have fizzled, and there’s been a revolving door of identity industry collectives.
Government and industry have grand plans to build identity ecosystems, such as the US National Strategy for Trusted Identities in Cyberspace (NSTIC) and Britain’s new midata. And Facebook, Google and LinkedIn are positioning as global Identity Providers. Which of these will thrive and which will die another slow death? The answer lies in the way identities have evolved to fit different niches in real world business ecosystems. A new ecological theory of Digital Identity will conserve the successful ways we know and show who we are online.
Federated identity: Easier said than done
Federated identity is one of the orthodoxies of information security today. The federation movement is propelled by four forces:
- The realisation that a great deal of cyber crime results from mis-authentication, including especially phishing, pharming, identity theft, and Card Not Present fraud
- The ever worsening password plague and unwieldy ‘token necklaces’
- The burden of needing to re-register at each and every new site just to get the most basic services, and
- The perceived business opportunity of big online brands to monetise their customer relationships, and re-launch themselves as Identity Providers.
Federation strives to kill at least two birds with one stone: improving security by giving users easier access to improved (hopefully two factor) authentication ― which is a technology problem ― and streamlining enrolment ― which is a business process problem.
Over time, federation has grown into a whole school of security thought. Its intellectual foundations were laid down by Kim Cameron in his famous Laws of Identity Error! Reference source not found.. The Laws emphasise that identity is context dependent, and that we exercise a range of identities fit for different purposes. These are powerful principles that among other things help empower users and protect them from identity theft and privacy invasions.
Yet the Laws stray into philosophical territory that has not proven helpful in practice. In particular, the laws separate the abstract roles of firstly providing identities and secondly consuming or relying on them. It can be instructive to think about these roles independently, but the federated identity movement encourages big institutions like banks and governments to actually split off their identity provisioning business functions.
Several technologies and high level architectures have emerged as tentative realisations of the Laws of Identity. Microsoft for instance promoted its elaborate Identity Metasystem of independent identity, attribute and service providers, and a powerful new graphical UI called Cardspace which organises multiple digital identities in a virtual wallet. Much of its intellectual property in these technologies was opened up by Microsoft, leading to the open source Project Higgins, Information Card Foundation and the Open Identity Exchange (OIX) consortium.
Despite all this frenetic research and development and industry activity, banks and governments have not yet managed to recognise one another’s identities, save for some isolated examples in Scandinavia.
Yet identity sharing has roared ahead in social media, to such an extent that users complain ironically of the ‘Nascar problem’ - where the social logons accepted at a website are festooned all over like advertisers’ logos, crowding each other out. The comparison is not accidental for clearly social logon providers are acutely brand conscious. Facebook and Twitter have let their IDs flourish like weeds, but now a few of social networks have taken the covers off their strategies, admitting they see themselves as global identity providers, leveraging the intimate knowledge they have of their members’ digital lives.
Is it possible that free and expressive social logons will take over where bank and government identities have failed to interoperate? Or will the higher risk management standards of serious online transactions remain beyond reach of the cyber brands? We can only pick the winners in this fast moving marketplace after reviewing what identity is all about.
Identity: fuzzy and familiar
Consider that in ordinary life we are at ease with the complexity and nuance of identity. We understand the different flavours of personal identity, national identity and corporate identity. We talk intuitively about identifying with friends, family, communities and companies to name a few. Identity is not absolute, but instead it shifts in time and space. Most of us know how it feels at a school re-union to no longer identify with the young person we once were. And it seems clear that we switch identities unconsciously, when for example we change from work to casual clothes, or wear our team’s colours to a football match.
Yet when it comes to digital identity―that is, knowing and showing who we are online―we have made an embarrassing mess of it. Information technologists have taken it upon themselves to redefine the meaning of the word.
Day-to-day we think of identity simply as how someone is known. People move in different circles and they often adopt different guises or identities in each of them. We have circles of colleagues, customers, fellow users and so on ― and we often have distinct identities in each of them. The old saw “don’t mix business and pleasure” plainly shows we instinctively keep some of our circles apart. The more formal circles―which happen to be the ones of greatest interest in e-business―have procedures that govern how people join them. To be known in a circle of a bank’s customers or a company’s employees or a profession means that you’ve met some prescribed criteria.
The Laws of Identity define a digital identity as “a set of claims made by one digital subject about itself or another digital subject”. Essentially a digital identity is a proxy for one’s standing in a particular context; it defines the relationship we have with everyone else in the circle.
Underneath each digital identity is a host of formal complexities, like the identification protocol that got us into the circle in the first place, and the terms and conditions for operating in it.