A new theory of digital identity

Part A: Federated Identity: Easier said than done

In response to cyber crime and the password plague, there has been a near universal acceptance of the idea of federated identity.  Sharing identities is intuitively appealing.  If you have invested time and effort getting identified by one service provider, you should be able to re-use that identification with other services.

Federation should save time, streamline registration, cut costs, and open up new business channels.

And yet federated identity has stalled. True, we can now enjoy the convenience of logging onto multiple blogs and social networks with an unverified Facebook or Twitter account, but higher risk services like banking, e-health and e-government have steadfastly resisted federation, maintaining their own identifiers and sovereign registration processes.  Many promising initiatives have sputtered on the launch pad, promising technologies like Cardspace have fizzled, and there’s been a revolving door of identity industry collectives. 

Government and industry have grand plans to build identity ecosystems, such as the US National Strategy for Trusted Identities in Cyberspace (NSTIC) and Britain’s new midata.  And Facebook, Google and LinkedIn are positioning as global Identity Providers.  Which of these will thrive and which will die another slow death?  The answer lies in the way identities have evolved to fit different niches in real world business ecosystems.  A new ecological theory of Digital Identity will conserve the successful ways we know and show who we are online. 

Federated identity: Easier said than done

Federated identity is one of the orthodoxies of information security today.  The federation movement is propelled by four forces:

1. The realisation that a great deal of cyber crime results from mis-authentication, including especially phishing, pharming, identity theft, and Card Not Present fraud
2. The ever worsening password plague and unwieldy ‘token necklaces’
3. The burden of needing to re-register at each and every new site just to get the most basic services, and
4. The perceived business opportunity of big online brands to monetise their customer relationships, and re-launch themselves as Identity Providers. 

Federation strives to kill at least two birds with one stone: improving security by giving users easier access to improved (hopefully two factor) authentication ― which is a technology problem ― and streamlining enrolment ― which is a business process problem. 

Over time, federation has grown into a whole school of security thought. Its intellectual foundations were laid down by Kim Cameron in his famous Laws of Identity Error! Reference source not found.. The Laws emphasise that identity is context dependent, and that we exercise a range of identities fit for different purposes.  These are powerful principles that among other things help empower users and protect them from identity theft and privacy invasions. 

Yet the Laws stray into philosophical territory that has not proven helpful in practice.  In particular, the laws separate the abstract roles of firstly providing identities and secondly consuming or relying on them. It can be instructive to think about these roles independently, but the federated identity movement encourages big institutions like banks and governments to actually split off their identity provisioning business functions. 

Several technologies and high level architectures have emerged as tentative realisations of the Laws of Identity. Microsoft for instance promoted its elaborate Identity Metasystem of independent identity, attribute and service providers, and a powerful new graphical UI called Cardspace which organises multiple digital identities in a virtual wallet. Much of its intellectual property in these technologies was opened up by Microsoft, leading to the open source Project Higgins, Information Card Foundation and the Open Identity Exchange (OIX) consortium.

Despite all this frenetic research and development and industry activity, banks and governments have not yet managed to recognise one another’s identities, save for some isolated examples in Scandinavia.  

Yet identity sharing has roared ahead in social media, to such an extent that users complain ironically of the ‘Nascar problem’ - where the social logons accepted at a website are festooned all over like advertisers’ logos, crowding each other out.  The comparison is not accidental for clearly social logon providers are acutely brand conscious.  Facebook and Twitter have let their IDs flourish like weeds, but now a few of social networks have taken the covers off their strategies, admitting they see themselves as global identity providers, leveraging the intimate knowledge they have of their members’ digital lives.  

Is it possible that free and expressive social logons will take over where bank and government identities have failed to interoperate? Or will the higher risk management standards of serious online transactions remain beyond reach of the cyber brands?  We can only pick the winners in this fast moving marketplace after reviewing what identity is all about.

Identity: fuzzy and familiar

Consider that in ordinary life we are at ease with the complexity and nuance of identity. We understand the different flavours of personal identity, national identity and corporate identity. We talk intuitively about identifying with friends, family, communities and companies to name a few. Identity is not absolute, but instead it shifts in time and space.  Most of us know how it feels at a school re-union to no longer identify with the young person we once were. And it seems clear that we switch identities unconsciously, when for example we change from work to casual clothes, or wear our team’s colours to a football match. 

Yet when it comes to digital identity―that is, knowing and showing who we are online―we have made an embarrassing mess of it. Information technologists have taken it upon themselves to redefine the meaning of the word.

Day-to-day we think of identity simply as how someone is known. People move in different circles and they often adopt different guises or identities in each of them. We have circles of colleagues, customers, fellow users and so on ― and we often have distinct identities in each of them. The old saw “don’t mix business and pleasure” plainly shows we instinctively keep some of our circles apart. The more formal circles―which happen to be the ones of greatest interest in e-business―have procedures that govern how people join them. To be known in a circle of a bank’s customers or a company’s employees or a profession means that you’ve met some prescribed criteria. 

The Laws of Identity define a digital identity as “a set of claims made by one digital subject about itself or another digital subject”. Essentially a digital identity is a proxy for one’s standing in a particular context; it defines the relationship we have with everyone else in the circle. 

Underneath each digital identity is a host of formal complexities, like the identification protocol that got us into the circle in the first place, and the terms and conditions for operating in it. 

The myths of federated identity

Federated identity has adopted several axioms, which turn out to complicate rather than simplify the security challenges. Many of them are myths.    

Myth: Identities should interoperate.

Interoperability is one of IT’s sacred cows, stated as a must-have in every single program, but usually with scant attention to detail. Once we understand identities as proxies for relationships, we should go back and ask, what can it possibly mean for identities to interoperate across different contexts? 

Individuals belong to many circles at once, like the set of chartered accountants, the set of Manchester United supporters, and the set of a bank’s customers. Membership of any one circle doesn’t necessarily say anything about membership of any other.  That is, relationships don’t interoperate, and neither in general do identities.

What’s usually implied by interoperability is the idea that identities established with one identity provider should be reusable with multiple service providers. Re-use is typically brokered by a trusted intermediary. The business case for authentication brokers is often nothing more than the claim that the total number of enrolments will be reduced, and time and effort will automatically be saved. 

Each link between service and identity providers represents a bilateral legal arrangement.  Introducing a broker appears to reduce the total overhead. It is only less expensive overall if the arrangements before and after are comparable―and they are not. 

The broker’s core promise is that identities will be useable for current and future online services over which the identity providers (IdPs) have no control, and with relying parties (RPs) with whom they have no relationship. This undertaking defies conventional risk management practices. 

Identity federation takes existing carefully crafted arrangements, in which businesses know their customers for the purposes of known applications, and breaks them open so that strangers with no prior relationship can also transact with those customers.  The cost of having lawyers even come to grips with this situation, let alone negotiate novel contracts, is great and difficult to constrain. 

Myth: Trust can be stratified into discrete levels of assurance

The identity industry has surprisingly quickly settled on a generic classification of transaction risk and an authentication strength, or levels of assurance (LOAs).  The idea is to gauge the seriousness of a transaction as LOA 1, 2, 3 or 4, and then match the level of the party you’re planning to do business with.  Four step LOAs are standardised now in the US Government’s e-authentication guide, the Australian National Electronic Assurance Framework (NEAF) and the Kantara Identity Assurance Working Group. LOAs seem intuitively reasonable but like so many intuitions, they’re not quite right. 

Assurance levels have been derived from the tiered risk management methodologies seen in standards such as ISO 31000.  These involve estimating the severity and frequency of anticipated threats, and combining them into rolled-up risk ratings on an ordinal scale like negligible, low, medium, high and extreme. 

All security management process standards put the onus on each organisation to calibrate its own internal severity and frequency criteria, and to decide its own risk appetite. As a result, risk determinations made under ISO 31000 are not transferable between organisations.  Simply saying that a certain event ― for example a compromised user account ― has a risk rating of medium tells someone outside the organisation nothing at all about the details of the threat, how it might be mitigated, its impacts, or even its expected likelihood. So when an IdP claims its credentials are at LOA 4, and a RP estimates its transactions are at LOA 3, there actually isn’t sufficient information for the RP to tell if the identities are suitable.  Especially the higher levels of assurance, IdPs and RPs need to come together and look over the fine print (and come to what will usually be a bilateral agreement after all).

Myth: Identity providers and relying parties are separate roles

The Laws of Identity teach that provisioning identities and relying upon them can be separated, and strongly implies that they should be separated.  In proposals like the Open Identity Exchange, institutions like banks are urgedoper to re-imagine themselves as IdPs so that they can generate new business, and to open up their risk management policies so they can rely upon external identities and so streamline customer origination.  Yet both of these directions are radical departures from how banks work today. 

For a bank to have its identities accepted by other organisations requires them to somehow underwrite their identification processes in contexts over which they have no control.  Inevitably, the legal complexity and detailed new terms and conditions swamp any benefits that might be gained from extra revenue streams and identity proofing short cuts.

Successes of the federated identity experience

Most of the successful identity federations to date have been catalogued by the Kantara Initiative. They include the aerospace industry bridge CA, the pharmaceutical companies’ SAFE Biopharma service, Canadian and US federal Certificate Authorities, and several tertiary education access control schemes. Tellingly, these are all Public Key Infrastructures. More importantly they are all specific to highly regulated sectors, so all participants start out with credentials that are already highly standardised. 

A few cross-sector federations have succeeded in Scandinavia. The BankID consortium for example agreed on a particular PKI solution for issuing electronic credentials.  Over two million BankIDs have been issued, and may be used for lodging tax returns as well as many other government transactions.  After its own citizen e-ID card failed to gain ground, the Swedish government in effect outsourced its IdM to the banks, and passed special legislation to make it happen.

The most notable identity federations are the social logons, such as Facebook Connect and LinkedIn Identity. These each operate almost seamlessly across a great many sites, thanks to the OAuth protocol that permits services to share identity data, with the user’s blanket consent.  But we need to take this experience to date with a big grain of salt.  Today’s social logons are issued by services that don’t really know who you are, and are accepted by sites that don’t really care who you are. 

Failed federations

The Trust Centre was an initiative of the Australian banking sector in 2006, with the aim of combating phishing and identity theft. The plan at its height was for an independently operated IdM hub to aid enrolment, authentication, authorisation and forensics. After at least a year’s hard work, in late 2007 the Trust Centre broke up, without even the most basic level of strategic cooperation being agreed upon.  It should be sobering that federation eluded this small number of very similar organisations working in a highly regulated environment. 

In 2005, the Internet Industry Association developed a framework for an industry-based Two Factor Authentication scheme.  With the support of the Australian government, the IIA commissioned a detailed study of the legal and management risks, and the IT architecture required so a range of authentication devices could be re-used across multiple service providers. The scheme would be technology agnostic to increase choice and foster competition among solutions providers. The strategic objectives were to cut cost, streamline the ‘token necklace’, and help counter cyber crime. 

Sadly, even after designed pro forma agreements and an architecture, the IIA was unable to sign up industry participants to trial the 2FA scheme.  It was observed at the time that banks seemed reluctant to allow re-use of their authentication devices.  In hindsight, the risk sharing agreements were probably too complex and too novel.

Meanwhile overseas, OpenID became the poster child for federated identity. OpenID is a framework in which users can register a personal Uniform Resource Identifier (URI) and have it recognised by participating service providers, to enable web Single Sign On. When launching NSTIC in January 2011 Whitehouse security adviser Howard Schmidt asked us to “imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords”.  This vision was inspired by OpenID. Despite its promise, OpenID has struggled for acceptance, and has been conspicuously dropped by influential early adopters such as 37signals.

Early 2011 saw the worst news to date for the identity industry, with Microsoft ceasing support for Windows Cardspace, its implementation of Information Cards.  The Cardspace post mortems concentrated on platform issues, deployment, and technology company politics, and its business as usual, albeit with noticeably less excitement, at Kantara and NSTIC. 

Clearly the ‘Identity 2.0’ movement is in some trouble. Why should so much so much good sense and smart technology still be bumping along the bottom? The answer lies in a new and unifying theory of identity that recognises deep problems in the very concept of sharing identities. 

The real problem with Federated Identity

If we take a closer look, we can see that nothing like federated identity has ever been done before. The proposition that banks, phone companies, universities and governments should act in the open as Identity Providers to support transactions they have nothing to do with is not something these institutions have ever contemplated.  Federation implies widespread changes to risk management arrangements, which lawyers and legislators have yet to come to grips with. Consider the banks’ long established and highly regulated Know Your Customer protocols for identifying customers; introducing new third party brokers and enrolment pathways is a true paradigm shift, demanding untold revision of business rules, contracts and legislation. 

The greatest challenge in federated identity is getting service and identity providers, accustomed to operating in their own silos, to accept risks incurred by their members doing business in foreign settings. This is why identity is so very context dependent, and why specialised identities are so hard to federate. 

The intellectually compelling Laws of Identity speak of deep truths about digital identity and context, and they forcefully make the case for each of us exercising a plurality of identities, never just one. The Laws illuminate how organisations like banks and governments act simultaneously as Identity Provider and Relying Party.  Yet few if any of these institutions have been convinced by the Laws to uncouple and expand these roles in their own rights. The barrier to embracing federated identity is simply that nobody has yet worked out how to allocate liability in multilateral brokered identity arrangements, without re-writing the contracts that currently govern how we buy, bank and access government and health services. 

So the problem with the Laws of Identity is not that they are wrong; it’s that they are overly abstract.  Identity federation complicates business by inserting novel new intermediaries into business relationships that until now have been closely managed in a familiar, conservative, bilateral way.  The cornerstones of commerce are conservative institutions, understandably rather easily put off by legal complexity that falls outside their main business activity.  When push comes to shove, banks in particular just don’t see themselves as identity providers. 

Copyright © SC Magazine, Australia