Hello and welcome to the Kantara Consumer Identity Work Group.
Just in case you missed it, the purpose of the WG is to "foster the development of a consumer-friendly, privacy-protecting, high assurance 'identity layer' for the internet that enables consumers to fully exploit the potential of the internet without fear of identity theft."
How will we accomplish this?
By creating "several whitepapers, and possibly other requirements or recommendations, to describe how emerging identity technologies, protocols, frameworks, laws and regulations, etc., can be leveraged to: (a) enable businesses to know, with high confidence, the identities of individual consumers with whom it engages in high-value online transactions, without jeopardizing the privacy of the consumer's Personally Identifiable Information (PII); and (b) enable individual consumers to prevent others from impersonating them in high-value, online transactions."
That's a tall order. Can we do it? How do we do it? And if we do it, will anyone care?
Just to be clear, what we're talking about is "high assurance" online identification of individual consumers. Or more accurately, high assurance authentication of online identity claims. Obviously it is not necessary, or even desirable, to require high assurance identification of consumers for many types of online transactions. For instance, does an online bookseller really need to know who you are? They only need to know where to ship the book, and that they will get paid. But in other cases, it is important. Such as, for instance: (a) opening a new credit card account online; (b) applying for a loan online; (c) opening a new bank account or other financial account online; (d) ordering your credit report and score online; (e) interacting with certain government websites to change or update personal information (i.e., mailing address for a social security check, beneficiary information, etc.). Not only is it important that the service provider knows with high assurance who it is dealing with in these instances, but from the consumer's point of view it's equally important to prevent someone else from impersonating him/her in these types of transactions.
In other types of situations, what's needed isn't necessarily authentication of an identity claim, but authentication of a claim to be authorized to do something. Such as, for instance, being authorized to make a payment from an online banking or other payment account, or to access an existing online financial account, or to access certain medical records.
These examples illustrate that, while the need for individual consumers to establish their identities when enrolling for high value, identity-dependent services is critical, the need is likely to be infrequent. How often does any given person apply for a new credit card, anyway? On the other hand, for any given individual, the need to authenticate for access to existing high-value accounts or resources on an ongoing basis would be much more frequent. However, all too often the authentication method is based on nothing more than a userid and password, supplemented with "challenge questions" whose answers are not that hard to guess, especially for consumers who engage in social networking and put much of their lives online.
One of the purposes of this WG is to make a better case for using strong authentication methods in these situations, and in particular to show how high assurance identity services can help to prevent identity theft. If everyone had online credentials for high assurance identity authentication, and every service provider required such authentication for high value transactions, that would be one thing. But that won't happen any time soon. In the meantime, the best that can be done to help protect those with such credentials from being identity theft victims may be to devise a way to detect whether anyone is using the personal information of credential holders for such purposes. In other words, if an Identity Provider has verified your identity and issued you credentials to be used online, but someone else is using your stolen personal information to claim your identity, can this situation be "discovered" and mitigated? If so, the person using your identity information could then be asked to authenticate using the credentials only you would have. One of the outcomes of this WG is a further exploration of this scenario and its potential feasibility.
So with this brief explanation and description of the goals of the WG, I invite your comments, questions, and suggestions. If you have joined the Consumer Identity WG, you can post these comments directly to the group's mailing list. If you have not already joined the WG, but would like to do so, please click on the JOIN THIS GROUP button on the WG's home page. I'd like to schedule a group conference call at some point, but I'm hoping to first generate some discussion on the mailing list to serve as a focus of the call.
Bob Pinheiro
Chair, Consumer Identity WG