For anyone still reading this who doesn’t know what Facebook is I’ll provide a quick intro. It is an online social networking service that allows you to post up a picture of yourself and a simple profile. You then look for other people’s profiles that you know and then invite them to be friends. Simple… to begin with, but then the links form into networks. Within these networks information is shared and that is where it starts to get interesting…..

So now just watching my own Facebook profile I get a stream of the interesting, the creative, the playful, and (more often than not) the completely inane. It is strangely addictive, but already I have been linked to a couple of people that I have barely spoken to since leaving high school. And it felt good.

That seems to be part of the draw of these types of sites. It is not the silly little messages that appear all day, but the small smile that creeps onto my face when I read them and the tiny inspiration that I get when I see beauty in another’s photos. It is the micro emotional connections that they offer that somehow bring people together that I like.

The inspiration is to do it more in the offline world as well.

In the context of providing a strong authentication solution the concept of a Federated Digital Identity is often mentioned. This essay seeks to explore this concept to review and challenge the benefits that ‘Federation’ of digital identity management can provide.

However before discussion Federation the concepts of a Digital Identity and even Identity itself will be briefly discussed.

IDENTITY

What is an ‘Identity’? Here are two definitions :

1. The collective aspect of the set of characteristics by which a thing is definitively recognizable or known.
2. The distinct personality of an individual regarded as a persisting entity; individuality.

These definitions represent the two view points of an identity. The first one is external to the entity being identified, using it’s characteristics to provided recognition. The second definition can be from the view point of the entity itself. Both of these perspectives need to be considered when in identity management.

The degree to which an external party needs to recognize a entity will depend on familiarity with the entity and the activity to be engaged. The greater the degree of trust involved, the more characteristics of the entity to be known and verified.

Consider the differences between the interactions in the following scenarios:

1. A service technician unexpectedly visits your house and requests access to check ‘something’
2. A scheduled service technical visits your house to repair a faulty appliance.
3. An old school friend visits you out of the blue after looking you up while they are in town.
4. A close family member pops in for a chat and a cup of tea.

In all of these cases the request it the same “Please let me in to your house” however the credentials that define trust will be very different in each case. The first scenario is likely to require a large number of credentials before trust and access is offered. These might be sourced from a business card or phone number that can be contacted to validate the identity of the visitor. With out a trusted third party to confirm the purpose of the visit and the credentials of the visitor it is unlikely that access to the house will be granted.

In the second scenario the expectation of a visitor increases the belief that this is a legitimate visitor should only require if minimal additional credentials before access is granted. However it is the recognition of an external trusted 3rd party that supports the trust in this individual.

In the 3rd and 4th scenarios you have an existing relationship with the person so no third party is required to make a decision about providing access. You may still want to refuse access but this will be based on your terms not the recommendation of a third party.

DIGITAL IDENTITY

In the digital or online environment we are stripped of many of the tools that we use to establish a trust relationship in a face to face meeting. We have to work with small individually provided pieces of data that can be validated before trusted access to services will be provided.
As with the example above, of providing access to your home, the importance of a validated identity will vary depending on the activity of service being requested.
In the online environment interactions with websites and applications may be once only events or they may develop into longer term relationships. It is during the creation of an online relationship that a digital identity of some description becomes necessary. This also requires a method of preventing that identity from being used without authorisation by someone else.
In the vast majority of cases all that is required to create a digital identity is:

• a locally unique identifier (eg a username, an email address, an account number) and
• a locally shared secret or password.

Additional personal information may be requested depending on the nature of the interaction being offered, but it is not necessarily required to create a local digital identity.

The term ‘local’ here refers information that will only be recognised within a closed and limited environment. For example, the local environment may be an organisation or a website or an online application. Importantly it cannot be used and verified outside of this environment.

DIGITAL IDENTITY PROTECTION

The importance of protecting Digital Identities has increased with the growth in the number of uses, applications and interactions that are possible online. Even more critical is that many of these online interactions are also alternatives or proxies to their original offline interactions.

This evolution has not been ignored by criminal elements that have developed methods, both technical and social, of compromising and stealing Digital Identities. Although there are many possible methods of making this increasingly difficult for criminals to achieve, finding a balance that still balances ease of use by a legitimate owner of the Digital Identity is a difficult balance. The additional costs of delivering more complicated security solutions are also a very important factor.

Specific digital identity security solutions are however a topic for a different paper.

FEDERATION

In the previous topic the idea of a local Digital Identity was discussed and the importance of protecting it. One of the features and limitations of these local Digital Identities is that they cannot be used outside of their original environment without some sort of agreement or sharing of 3rd party trust relationship.

A Federation can be defined as ‘a group of people united in a relationship and having some interest, activity, or purpose in common’ . In the context of Digital Identities this would provide a method of sharing between one of more applications, services or organisations a trust relationship.

This is a valuable proposition since it allows the scope of use of the original Digital Identity to be increased beyond the one localised environment. For example if both an online banking service and a online shopping service use Federated Digital Identity, then a trust relationship established via the bank may also be applied when performing online shopping activities.

Entities like banks and government organisations that require a higher level of identity verification before establishing a Digital Identity for their customers would be best suited to sharing their trust relationship with others who are not required to apply such strict identity verification guidelines.

FEDERATED DIGITAL IDENTIY – A DOUBLE EDGED SWORD?

BENEFITS

There are clear benefits for both users of online services and the entities that offer them in an environment where a trusted Digital Identity can be used across multiple ‘local’ environments. For example:

• This trust relationship may allow implied identification information to be used in to facilitate transactions without sharing a customer’s private data.
• The user can access features and services without the need to create a new local identity in each new environment.
• The cost of protecting the Digital Identity can be shared or recouped from the additional participating entities.

All of these benefits depend on the strength of the trust relationship and the integrity of the Federated Digital Identity. But what if these dependencies cannot be guaranteed?

DANGERS

In the last 5 years and in particular since late early 2003 criminal activity using the internet has been increasing alarmingly. The payoffs of successfully compromising a digital identity that is linked to financial services has also been increasing as the use of these channels by customers grows.
There is no evidence that criminal activity to finding new ways of stealing digital identities is slowing down. In fact the opposite is true.

Banks and financial institutions globally have been seriously impacted by these activities both financially as well as by the threat to consumer confidence that these threats bring.

Is there any guarantee that a Federated Digital Identity system will be able to defend against these attacks? Certainly pooling resources between organisations may help make the cost of increased security implementation easier, but if this security can be still be compromised or customers are unable to effectively use it will the benefits be worth it?

If a Federated Digital Identity is compromised who will bear the liability of losses across multiple entities?

COMMAND AND CONTROL

The other major challenge for the implementation for the Federation of Digital Identities is that of command and control of the ‘Federation’.

Will this be a coalition or union of willing industry participants, a government body, or a service offered and sold by a ‘trust’ vendor? How much trust and control will organisations be willing to a 3rd party (even a ‘trusted’ one) before further localised identity validation will be required. If a Digital Identity is compromised or security is breached who will be responsible for fixing it?

CONCLUSION

The ideal of a Federated Digital Identity is a noble one; however both the dangers and the benefits increase with the federation’s scope.

• A Federated Digital Identity does not imply a secure one. In fact is will most likely become slower to react to changing security threats that smaller localised security management.
• A strong, functional and secure Federated Digital Identity service will most likely evolve slowly and be limited in scope between co-dependant organisations (like banks and ecommerce for example).
• Large scale federation between competing organisations in the same industry is unlikely due to the difficulties in managing a balance between trust and liability as well as costs and command and control.

A Federated Digital Identity system has benefits and dangers. It is my opinion that the as the scale of the federation increases the dangers begin to outweigh the benefits and this should be carefully considered before launching an industry wide system to customers fully formed.

nick coster (October 2005)

Bill Gates: “That’s called federation, where we take their trust statement and we accept it, within a certain scope. So they don’t have to get another user account password. There’s no central node in this thing at all, there never can be. Banks are a key part of it, governments can be part of it. The US, probably not as much.”

This statement highlights the number one problem that a federated identity system is going to face – the federation of trust. Compared to the problem of trusting ‘trust’ identity management is a piece of cake. Yet the discussion continually seems to revolve around the sharing of identity secrets, but it is the trust of the owners of the identity secrets that is the greatest challenge. It is fairly clear that in the world today trust is an expensive commodity that is not easily transferable.

I believe that there needs to be a way of abstracting this trust problem to one or more (competing?) third parties. The question is ‘who do you trust’?

For me this has appeared in projects where two ISP businesses have brought their customers under one organisation and these customers do not have unique username to identify them selves to the new ISP. What! Two ‘Fred’s!! Will the real Fred please step forward? Hmm, if only it was that simple. In the late ’90 when ISP’s and online portals were coming together this happened time and again, and it was always messy.

At around the same time the ‘kiddies’ got their hands on software that would allow them to steal passwords from customers in the school holidays. So now usernames and passwords are under siege. A single stolen password could be reused by the baddies over and over again without recourse.

Then spam came along and polluted the one personal identifier that the whole internet had agreed from the outset would be unique. Bugga. Stopping spam and protecting mailboxes became another major project. Without a way of identifying who the hell sent the spam in the first place, or even being sure who sent what looks like the good email, then all manner of arcane solutions had to be employed.

By now the ‘kiddies’ have grown up and are selling their password stealing skills to the spammers who are selling their spam networks to real criminals, who don’t want you email. They want your bank account. Enter the rise and rise of ‘phishing’.

So now I am looking at ways of improving on the humble static password. When was the last time you changed yours? Are you sure nobody else knows it?

All of these things tie right back to ‘identity’ (as the industry insists on calling it). Who am I? Who are you? And how do we prove it to each other in such a way that it doesn’t get in the way of what we were trying to do in the first place.

I want to talk about this here because there is a lot in this idle mind that I need to get out. I know this stuff and I hear some of the biggest names in many different industries grappling with the same problems and, in my opinion, in quite misdirected ways. This surge of blog energy was inspired by an interview with Kim Cameron on Microsoft’s Channel 9. I get frustrated because i believe that they are trying to solve the wrong problem, and as a result won’t get the outcome they are seeking.