Who do You Trust?
FEDERATED DIGITAL IDENTITY
In the context of providing a strong authentication solution the concept of a Federated Digital Identity is often mentioned. This essay seeks to explore this concept to review and challenge the benefits that ‘Federation’ of digital identity management can provide.
However before discussion Federation the concepts of a Digital Identity and even Identity itself will be briefly discussed.
IDENTITY
What is an ‘Identity’? Here are two definitions :
- The collective aspect of the set of characteristics by which a thing is definitively recognizable or known.
- The distinct personality of an individual regarded as a persisting entity; individuality.
These definitions represent the two view points of an identity. The first one is external to the entity being identified, using it’s characteristics to provided recognition. The second definition can be from the view point of the entity itself. Both of these perspectives need to be considered when in identity management.
The degree to which an external party needs to recognize a entity will depend on familiarity with the entity and the activity to be engaged. The greater the degree of trust involved, the more characteristics of the entity to be known and verified.
Consider the differences between the interactions in the following scenarios:
- A service technician unexpectedly visits your house and requests access to check ‘something’
- A scheduled service technical visits your house to repair a faulty appliance.
- An old school friend visits you out of the blue after looking you up while they are in town.
- A close family member pops in for a chat and a cup of tea.
In all of these cases the request it the same “Please let me in to your house” however the credentials that define trust will be very different in each case. The first scenario is likely to require a large number of credentials before trust and access is offered. These might be sourced from a business card or phone number that can be contacted to validate the identity of the visitor. With out a trusted third party to confirm the purpose of the visit and the credentials of the visitor it is unlikely that access to the house will be granted.
In the second scenario the expectation of a visitor increases the belief that this is a legitimate visitor should only require if minimal additional credentials before access is granted. However it is the recognition of an external trusted 3rd party that supports the trust in this individual.
In the 3rd and 4th scenarios you have an existing relationship with the person so no third party is required to make a decision about providing access. You may still want to refuse access but this will be based on your terms not the recommendation of a third party.
DIGITAL IDENTITY
In the digital or online environment we are stripped of many of the tools that we use to establish a trust relationship in a face to face meeting. We have to work with small individually provided pieces of data that can be validated before trusted access to services will be provided.
As with the example above, of providing access to your home, the importance of a validated identity will vary depending on the activity of service being requested.
In the online environment interactions with websites and applications may be once only events or they may develop into longer term relationships. It is during the creation of an online relationship that a digital identity of some description becomes necessary. This also requires a method of preventing that identity from being used without authorisation by someone else.
In the vast majority of cases all that is required to create a digital identity is:
- a locally unique identifier (eg a username, an email address, an account number) and
- a locally shared secret or password.
Additional personal information may be requested depending on the nature of the interaction being offered, but it is not necessarily required to create a local digital identity.
The term ‘local’ here refers information that will only be recognised within a closed and limited environment. For example, the local environment may be an organisation or a website or an online application. Importantly it cannot be used and verified outside of this environment.
DIGITAL IDENTITY PROTECTION
The importance of protecting Digital Identities has increased with the growth in the number of uses, applications and interactions that are possible online. Even more critical is that many of these online interactions are also alternatives or proxies to their original offline interactions.
This evolution has not been ignored by criminal elements that have developed methods, both technical and social, of compromising and stealing Digital Identities. Although there are many possible methods of making this increasingly difficult for criminals to achieve, finding a balance that still balances ease of use by a legitimate owner of the Digital Identity is a difficult balance. The additional costs of delivering more complicated security solutions are also a very important factor.
Specific digital identity security solutions are however a topic for a different paper.
FEDERATION
In the previous topic the idea of a local Digital Identity was discussed and the importance of protecting it. One of the features and limitations of these local Digital Identities is that they cannot be used outside of their original environment without some sort of agreement or sharing of 3rd party trust relationship.
A Federation can be defined as ‘a group of people united in a relationship and having some interest, activity, or purpose in common’ . In the context of Digital Identities this would provide a method of sharing between one of more applications, services or organisations a trust relationship.
This is a valuable proposition since it allows the scope of use of the original Digital Identity to be increased beyond the one localised environment. For example if both an online banking service and a online shopping service use Federated Digital Identity, then a trust relationship established via the bank may also be applied when performing online shopping activities.
Entities like banks and government organisations that require a higher level of identity verification before establishing a Digital Identity for their customers would be best suited to sharing their trust relationship with others who are not required to apply such strict identity verification guidelines.
FEDERATED DIGITAL IDENTIY – A DOUBLE EDGED SWORD?
BENEFITS
There are clear benefits for both users of online services and the entities that offer them in an environment where a trusted Digital Identity can be used across multiple ‘local’ environments. For example:
- This trust relationship may allow implied identification information to be used in to facilitate transactions without sharing a customer’s private data.
- The user can access features and services without the need to create a new local identity in each new environment.
- The cost of protecting the Digital Identity can be shared or recouped from the additional participating entities.
All of these benefits depend on the strength of the trust relationship and the integrity of the Federated Digital Identity. But what if these dependencies cannot be guaranteed?
DANGERS
In the last 5 years and in particular since late early 2003 criminal activity using the internet has been increasing alarmingly. The payoffs of successfully compromising a digital identity that is linked to financial services has also been increasing as the use of these channels by customers grows.
There is no evidence that criminal activity to finding new ways of stealing digital identities is slowing down. In fact the opposite is true.
Banks and financial institutions globally have been seriously impacted by these activities both financially as well as by the threat to consumer confidence that these threats bring.
Is there any guarantee that a Federated Digital Identity system will be able to defend against these attacks? Certainly pooling resources between organisations may help make the cost of increased security implementation easier, but if this security can be still be compromised or customers are unable to effectively use it will the benefits be worth it?
If a Federated Digital Identity is compromised who will bear the liability of losses across multiple entities?
COMMAND AND CONTROL
The other major challenge for the implementation for the Federation of Digital Identities is that of command and control of the ‘Federation’.
Will this be a coalition or union of willing industry participants, a government body, or a service offered and sold by a ‘trust’ vendor? How much trust and control will organisations be willing to a 3rd party (even a ‘trusted’ one) before further localised identity validation will be required. If a Digital Identity is compromised or security is breached who will be responsible for fixing it?
CONCLUSION
The ideal of a Federated Digital Identity is a noble one; however both the dangers and the benefits increase with the federation’s scope.
- A Federated Digital Identity does not imply a secure one. In fact is will most likely become slower to react to changing security threats that smaller localised security management.
- A strong, functional and secure Federated Digital Identity service will most likely evolve slowly and be limited in scope between co-dependant organisations (like banks and ecommerce for example).
- Large scale federation between competing organisations in the same industry is unlikely due to the difficulties in managing a balance between trust and liability as well as costs and command and control.
A Federated Digital Identity system has benefits and dangers. It is my opinion that the as the scale of the federation increases the dangers begin to outweigh the benefits and this should be carefully considered before launching an industry wide system to customers fully formed.
nick coster (October 2005)
