Why federated identity is a pipedream

The concept of federated identity - in which web users would have a single means of proving their identity to consumer online services is under sustained attack from identity experts concerned it will never exist beyond a hypothetical model.

The concept aims to improve the effciency and security of how organisations and individuals use identities.

It could remove, as the White House cyber tsar Howard Schmidt has noted, the need for individuals "to have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services".

It could also cut down identity theft crime by providing strong trust frameworks, held by the likes of banks, to small businesses that have weaker structures.

But the promise is chaff, according to Steve Wilson, director of LockStep consulting, who has worked in identity management and Public Key Infrastructure for more than a decade.

"The main problem of federated identity is the real world," Wilson said. "We have evolved different business ecosystems to meet local risk problems."

These ecosystems include trust structures such as the 100-point ID check which, at least in the foreseeable future, cannot be translated between countries, he said.

"If an offshore bank came to Australia with customers trusted in the US, you would have Tower of Babel problem. As for changing the laws ... it's out of the question."

"The 100-point ID check is only the tip of the iceberg," he said. "Other ecosystems have different ways of managing different threats, which means federated ID won't work."

The notion that a bank would vouch for the veracity of a customer identity so that it may be used by other organisations is little more than a "strange love triangle" manufactured by IT engineers, he said.

"That need for third party trust is a show-stopper," Wilson said.

The authentication tree

The federated identity schemes have previously and will continue to be voided by finance industry lawyers, Wilson said, because it introduces risk into the world's most mature trust frameworks.

"Banks want to manage liability to zero, but if there is a problem with a trusted identity, the receiver of it will go after the bank."

Contrary to what some federated identity pundits say, the issue of 'knowing customers', typified in Australia's Know Your Customer legislation, does not need an overhaul, Wilson said.

"It is a misleading idea that 'knowing' is not enough; My relationship with the Commonwealth Bank is enough to work with Commonwealth Bank. They know me for the purpose of managing risk."

"They do not 'know' me for the sake of managing risk to third parties"

He said trust is a red herring because it operates entirely in context, and to suggest that it should be held to the same standard online as it is in human discourse is "crazy".

"There is so, so much false promise; we just need to focus on identity security."

NetIQ chief executive officer, Jay Gardner agreed. He said identity security should be "taken back to fundamentals".

"Accountability rests on ID providers, who are held to a high standard of security," Gardner said. "On the other end, the enterprise, the CISO, need to ensure that what goes out is secure."

"There is so much to get right, so if everyone raises the bar on identity issues, we would solve a lot of the data breaches we see today."

The solution requires tougher government regulation and better corporate standards, Gardner said. Neither alone would solve the problem.

He said an  "ecosystem" of government, enterprises, and suppliers must materialise and jointly imporve the integrity of identity management.

But federated identity could work in niches, Wilson said. In the world of social networking, which operates on a lower risk scale, Facebook and Google rein. Countless websites open their services for use by identities already trusted by Facebook, Google and dozens of others.

And as businesses would gravitate to more robust trust structures such as those held by banks, so these websites will ditch Facebook and Google for LinkedIn, according to Wilson.

"LinkedIn will be a killer here. It is very, very powerful in the social space."

Copyright © SC Magazine, Australia