|
This Interim Report describes the identity theft/fraud problem, and advocates that the solution is to enable (and motivate) service providers to rely on high assurance, identity-related claims during the establishment of new high value services or relationships, and as a condition for granting access to previously-established high value services or protected resources. This Interim Report also enumerates various issues that need to be addressed in order to do this. Two developments involving consumer identity, which could have some bearing on the Consumer Identity WG, were in the news recently. The Information Card Foundation and the OpenID Foundation announced a joint whitepaper that discusses open trust frameworks for open government applications, including how these trust frameworks will play an important role in enabling OpenID and Information Cards to authenticate consumers/citizens for open government applications. Here is the announcement, with a link to the whitepaper:http://informationcard.net/blog/open-trust-frameworks-paper. Closely following this, a pilot program was announced involving ten big companies who will act as Identity Providers, using OpenID and Information Cards, for open government applications. These ten companies - Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems - will issue OpenIDs and Information Cards to consumers/citizens for use in accessing these government applications. The advantage of this approach is that citizens do not need to obtain separate credentials (i.e., usernames and passwords) from the government at each of the websites providing these government services. Instead, citizens can access services across multiple government websites using the same OpenID or Information Card. [The announcement is here: http://informationcard.net/blog/open-identity-initiative-2009-09-09] The US federal government agencies participating in this pilot include the Center for Information Technology (CIT), National Institutes of Health (NIH), and U.S. Department of Health and Human Services (HHS). What kinds of open-government services will be provided in this pilot program? According to the announcement, "in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections." The open government services provided in the pilot are all Assurance Level 1 services, meaning that these services do not require that the actual identities of the citizens using them be known, and that password authentication is deemed acceptable. So consumers obtaining these OpenIDs and Information Cards will not have to identify themselves, and the Identity Providers will not have to verify anyone's identity. And even though consumers will not need to obtain separate passwords for each of the government sites, use of a particular OpenID or Information Card will require password authentication to the Identity Provider, which provides a low assurance that the same person is coming back each time to use the service. So will this have any impact on the Consumer Identity WG? I recently was able to obtain (and distribute here with permission) a presentation made at this year's Catalyst conference by Andrew Nash of PayPal, entitled "A Billionth of a Second After the Big Bang." No, this is not a treatise on astrophysics, but an attempt to address the question of how we get from here (shortly after the "big bang" of identity, where all this identity stuff like OpenID and Information Cards is floating around) to the "steady state" of identity, where things have coalesced and everyone has some sort of digital identity. The presentation hints at some answers, but the very fact that the government has chosen to rely on credentials issued by non-government entities for access to consumer/citizen applications is a watershed moment in helping to bring about the greater use of privacy-protecting digital identity credentials for use by consumers in a variety of online transactions. But the open government applications require only low assurance identity services, and this WG is about high assurance consumer identity. Will governments also provide online services to citizens that require high assurance of the individual's identity, or that require stronger authentication technologies such as digital certificates to be used in conjunction with OpenID or Information Cards? Will the ten Identity Providers in the current pilot choose to provide these higher assurance credentials to consumers? And if so, will other non-government businesses and service providers such as financial institutions and healthcare providers adopt the same trust frameworks so that consumers can use the same high-assurance credentials with these applications as well? These are unanswered questions, and if anyone has any opinions or insights they want to contribute, please do! In the meantime, OASIS, the open standards consortium, is sponsoring Identity Management 2009 at NIST, Gaithersburg, MD, on September 29-30. This conference will address open identity technologies as they apply to open government. Is anyone planning to attend? I should also mention that the Kantara IDDY awards were announced today (Sept. 15, 2009). One of the winners, Signicat, won an IDDY Deployment award for the development of an online hosted Identity Provider that is offered as a managed service to private and public sector enterprises and organizations in the Nordic Region (Norway, Sweden, Denmark and Finland). Signicat also has a service, Signicat ID, that provides secure authentication of individuals to websites that require high assurance of a user's identity. Understanding how this works, and how it might relate to these other open identity technologies, is something the WG should look into further. Bob Pinheiro Chair, Consumer Identity WG Hello and welcome to the Kantara Consumer Identity Work Group. Just in case you missed it, the purpose of the WG is to "foster the development of a consumer-friendly, privacy-protecting, high assurance 'identity layer' for the internet that enables consumers to fully exploit the potential of the internet without fear of identity theft." How will we accomplish this? By creating "several whitepapers, and possibly other requirements or recommendations, to describe how emerging identity technologies, protocols, frameworks, laws and regulations, etc., can be leveraged to: (a) enable businesses to know, with high confidence, the identities of individual consumers with whom it engages in high-value online transactions, without jeopardizing the privacy of the consumer's Personally Identifiable Information (PII); and (b) enable individual consumers to prevent others from impersonating them in high-value, online transactions." That's a tall order. Can we do it? How do we do it? And if we do it, will anyone care? Just to be clear, what we're talking about is "high assurance" online identification of individual consumers. Or more accurately, high assurance authentication of online identity claims. Obviously it is not necessary, or even desirable, to require high assurance identification of consumers for many types of online transactions. For instance, does an online bookseller really need to know who you are? They only need to know where to ship the book, and that they will get paid. But in other cases, it is important. Such as, for instance: (a) opening a new credit card account online; (b) applying for a loan online; (c) opening a new bank account or other financial account online; (d) ordering your credit report and score online; (e) interacting with certain government websites to change or update personal information (i.e., mailing address for a social security check, beneficiary information, etc.). Not only is it important that the service provider knows with high assurance who it is dealing with in these instances, but from the consumer's point of view it's equally important to prevent someone else from impersonating him/her in these types of transactions. In other types of situations, what's needed isn't necessarily authentication of an identity claim, but authentication of a claim to be authorized to do something. Such as, for instance, being authorized to make a payment from an online banking or other payment account, or to access an existing online financial account, or to access certain medical records. These examples illustrate that, while the need for individual consumers to establish their identities when enrolling for high value, identity-dependent services is critical, the need is likely to be infrequent. How often does any given person apply for a new credit card, anyway? On the other hand, for any given individual, the need to authenticate for access to existing high-value accounts or resources on an ongoing basis would be much more frequent. However, all too often the authentication method is based on nothing more than a userid and password, supplemented with "challenge questions" whose answers are not that hard to guess, especially for consumers who engage in social networking and put much of their lives online. One of the purposes of this WG is to make a better case for using strong authentication methods in these situations, and in particular to show how high assurance identity services can help to prevent identity theft. If everyone had online credentials for high assurance identity authentication, and every service provider required such authentication for high value transactions, that would be one thing. But that won't happen any time soon. In the meantime, the best that can be done to help protect those with such credentials from being identity theft victims may be to devise a way to detect whether anyone is using the personal information of credential holders for such purposes. In other words, if an Identity Provider has verified your identity and issued you credentials to be used online, but someone else is using your stolen personal information to claim your identity, can this situation be "discovered" and mitigated? If so, the person using your identity information could then be asked to authenticate using the credentials only you would have. One of the outcomes of this WG is a further exploration of this scenario and its potential feasibility. So with this brief explanation and description of the goals of the WG, I invite your comments, questions, and suggestions. If you have joined the Consumer Identity WG, you can post these comments directly to the group's mailing list. If you have not already joined the WG, but would like to do so, please click on the JOIN THIS GROUP button on the WG's home page. I'd like to schedule a group conference call at some point, but I'm hoping to first generate some discussion on the mailing list to serve as a focus of the call. Bob Pinheiro Chair, Consumer Identity WG |
Bookmarks
Is this site useful to you? Please share it! On This Page:
Pages in this Space:
|
News
Labels:
None