A new theory of digital identity

Successes of the federated identity experience

Most of the successful identity federations to date have been catalogued by the Kantara Initiative. They include the aerospace industry bridge CA, the pharmaceutical companies’ SAFE Biopharma service, Canadian and US federal Certificate Authorities, and several tertiary education access control schemes. Tellingly, these are all Public Key Infrastructures. More importantly they are all specific to highly regulated sectors, so all participants start out with credentials that are already highly standardised. 

A few cross-sector federations have succeeded in Scandinavia. The BankID consortium for example agreed on a particular PKI solution for issuing electronic credentials.  Over two million BankIDs have been issued, and may be used for lodging tax returns as well as many other government transactions.  After its own citizen e-ID card failed to gain ground, the Swedish government in effect outsourced its IdM to the banks, and passed special legislation to make it happen.

The most notable identity federations are the social logons, such as Facebook Connect and LinkedIn Identity. These each operate almost seamlessly across a great many sites, thanks to the OAuth protocol that permits services to share identity data, with the user’s blanket consent.  But we need to take this experience to date with a big grain of salt.  Today’s social logons are issued by services that don’t really know who you are, and are accepted by sites that don’t really care who you are. 

Failed federations

The Trust Centre was an initiative of the Australian banking sector in 2006, with the aim of combating phishing and identity theft. The plan at its height was for an independently operated IdM hub to aid enrolment, authentication, authorisation and forensics. After at least a year’s hard work, in late 2007 the Trust Centre broke up, without even the most basic level of strategic cooperation being agreed upon.  It should be sobering that federation eluded this small number of very similar organisations working in a highly regulated environment. 

In 2005, the Internet Industry Association developed a framework for an industry-based Two Factor Authentication scheme.  With the support of the Australian government, the IIA commissioned a detailed study of the legal and management risks, and the IT architecture required so a range of authentication devices could be re-used across multiple service providers. The scheme would be technology agnostic to increase choice and foster competition among solutions providers. The strategic objectives were to cut cost, streamline the ‘token necklace’, and help counter cyber crime. 

Sadly, even after designed pro forma agreements and an architecture, the IIA was unable to sign up industry participants to trial the 2FA scheme.  It was observed at the time that banks seemed reluctant to allow re-use of their authentication devices.  In hindsight, the risk sharing agreements were probably too complex and too novel.

Meanwhile overseas, OpenID became the poster child for federated identity. OpenID is a framework in which users can register a personal Uniform Resource Identifier (URI) and have it recognised by participating service providers, to enable web Single Sign On. When launching NSTIC in January 2011 Whitehouse security adviser Howard Schmidt asked us to “imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords”.  This vision was inspired by OpenID. Despite its promise, OpenID has struggled for acceptance, and has been conspicuously dropped by influential early adopters such as 37signals.

Early 2011 saw the worst news to date for the identity industry, with Microsoft ceasing support for Windows Cardspace, its implementation of Information Cards.  The Cardspace post mortems concentrated on platform issues, deployment, and technology company politics, and its business as usual, albeit with noticeably less excitement, at Kantara and NSTIC. 

Clearly the ‘Identity 2.0’ movement is in some trouble. Why should so much so much good sense and smart technology still be bumping along the bottom? The answer lies in a new and unifying theory of identity that recognises deep problems in the very concept of sharing identities. 

The real problem with Federated Identity

If we take a closer look, we can see that nothing like federated identity has ever been done before. The proposition that banks, phone companies, universities and governments should act in the open as Identity Providers to support transactions they have nothing to do with is not something these institutions have ever contemplated.  Federation implies widespread changes to risk management arrangements, which lawyers and legislators have yet to come to grips with. Consider the banks’ long established and highly regulated Know Your Customer protocols for identifying customers; introducing new third party brokers and enrolment pathways is a true paradigm shift, demanding untold revision of business rules, contracts and legislation. 

The greatest challenge in federated identity is getting service and identity providers, accustomed to operating in their own silos, to accept risks incurred by their members doing business in foreign settings. This is why identity is so very context dependent, and why specialised identities are so hard to federate. 

The intellectually compelling Laws of Identity speak of deep truths about digital identity and context, and they forcefully make the case for each of us exercising a plurality of identities, never just one. The Laws illuminate how organisations like banks and governments act simultaneously as Identity Provider and Relying Party.  Yet few if any of these institutions have been convinced by the Laws to uncouple and expand these roles in their own rights. The barrier to embracing federated identity is simply that nobody has yet worked out how to allocate liability in multilateral brokered identity arrangements, without re-writing the contracts that currently govern how we buy, bank and access government and health services. 

So the problem with the Laws of Identity is not that they are wrong; it’s that they are overly abstract.  Identity federation complicates business by inserting novel new intermediaries into business relationships that until now have been closely managed in a familiar, conservative, bilateral way.  The cornerstones of commerce are conservative institutions, understandably rather easily put off by legal complexity that falls outside their main business activity.  When push comes to shove, banks in particular just don’t see themselves as identity providers. 

Copyright © SC Magazine, Australia