A new theory of digital identity

Federated identity has adopted several axioms, which turn out to complicate rather than simplify the security challenges. Many of them are myths.    

The myths of federated identity

Myth: Identities should interoperate.

Interoperability is one of IT’s sacred cows, stated as a must-have in every single program, but usually with scant attention to detail. Once we understand identities as proxies for relationships, we should go back and ask, what can it possibly mean for identities to interoperate across different contexts? 

Individuals belong to many circles at once, like the set of chartered accountants, the set of Manchester United supporters, and the set of a bank’s customers. Membership of any one circle doesn’t necessarily say anything about membership of any other.  That is, relationships don’t interoperate, and neither in general do identities.

What’s usually implied by interoperability is the idea that identities established with one identity provider should be reusable with multiple service providers. Re-use is typically brokered by a trusted intermediary. The business case for authentication brokers is often nothing more than the claim that the total number of enrolments will be reduced, and time and effort will automatically be saved. 

Each link between service and identity providers represents a bilateral legal arrangement.  Introducing a broker appears to reduce the total overhead. It is only less expensive overall if the arrangements before and after are comparable―and they are not. 

The broker’s core promise is that identities will be useable for current and future online services over which the identity providers (IdPs) have no control, and with relying parties (RPs) with whom they have no relationship. This undertaking defies conventional risk management practices. 

Identity federation takes existing carefully crafted arrangements, in which businesses know their customers for the purposes of known applications, and breaks them open so that strangers with no prior relationship can also transact with those customers.  The cost of having lawyers even come to grips with this situation, let alone negotiate novel contracts, is great and difficult to constrain. 

Myth: Trust can be stratified into discrete levels of assurance

The identity industry has surprisingly quickly settled on a generic classification of transaction risk and an authentication strength, or levels of assurance (LOAs).  The idea is to gauge the seriousness of a transaction as LOA 1, 2, 3 or 4, and then match the level of the party you’re planning to do business with.  Four step LOAs are standardised now in the US Government’s e-authentication guide, the Australian National Electronic Assurance Framework (NEAF) and the Kantara Identity Assurance Working Group. LOAs seem intuitively reasonable but like so many intuitions, they’re not quite right. 

Assurance levels have been derived from the tiered risk management methodologies seen in standards such as ISO 31000.  These involve estimating the severity and frequency of anticipated threats, and combining them into rolled-up risk ratings on an ordinal scale like negligible, low, medium, high and extreme. 

All security management process standards put the onus on each organisation to calibrate its own internal severity and frequency criteria, and to decide its own risk appetite. As a result, risk determinations made under ISO 31000 are not transferable between organisations.  Simply saying that a certain event ― for example a compromised user account ― has a risk rating of medium tells someone outside the organisation nothing at all about the details of the threat, how it might be mitigated, its impacts, or even its expected likelihood. So when an IdP claims its credentials are at LOA 4, and a RP estimates its transactions are at LOA 3, there actually isn’t sufficient information for the RP to tell if the identities are suitable.  Especially the higher levels of assurance, IdPs and RPs need to come together and look over the fine print (and come to what will usually be a bilateral agreement after all).

Myth: Identity providers and relying parties are separate roles

The Laws of Identity teach that provisioning identities and relying upon them can be separated, and strongly implies that they should be separated.  In proposals like the Open Identity Exchange, institutions like banks are urgedoper to re-imagine themselves as IdPs so that they can generate new business, and to open up their risk management policies so they can rely upon external identities and so streamline customer origination.  Yet both of these directions are radical departures from how banks work today. 

For a bank to have its identities accepted by other organisations requires them to somehow underwrite their identification processes in contexts over which they have no control.  Inevitably, the legal complexity and detailed new terms and conditions swamp any benefits that might be gained from extra revenue streams and identity proofing short cuts.

Copyright © SC Magazine, Australia