Banking Review

Crisis? Whats crisis?

Is the field of open digital identities an ‘ecosystem’ or merely a system in crisis?

BY STEPHEN WILSON

Why is digital identity so tricky?

The past decade is littered with worthy online identity initiatives that failed to meet expectations: the Trust Centre, VANguard, Project Angus and Liberty Alliance, to name a few.

All started with the intuitively appealing premise that if an individual has already been identified by one service provider, then that identification should be made available to other services, to save time, streamline processes, reduce costs, and open up new business channels. It’s a potent mix of supposed benefits, and yet strangely unachievable.

True, we can now enjoy the convenience of logging on to multiple blogs and social sites with an OpenID, or an unverified Twitter account. But higher risk services like banking and government welfare stand apart, still maintaining their own identifiers and sovereign registration processes.

Security vendors remain undeterred: witness the recent launch of the latest and greatest Open Identity Trust Framework.  And the US government’s eagerly awaited National Strategy for Trusted Identities in Cyberspace  draws heavily on the new orthodoxy of an open identity ‘ecosystem’.

To my mind, the fashionable open identity approach is lumbered – ironically _ with the same lofty ambitions that killed off traditional Big PKI: they both aim to create trust frameworks sufficient to enable business to be conducted amongst strangers. To this end, federated identity proponents implore banks and government agencies to re-invent themselves as ‘Identity Providers’ in accordance with the weird and wonderful Laws of Identity.

Most federated identity initiatives are undone by the legal complexity and loss of control when customer relationship silos are broken down. It seems obvious with 20:20 hindsight, yet these projects can battle on for years before they hit the wall. If we are to avoid wasting more time and energy, we urgently need a new set of simplifying assumptions, instead of complicating generalisations .

Fresh thinking about digital identity won’t only demystify the grand plans for federated identity, but it will also help to improve more immediate challenges like electronic verification (EV) of identity, and bank account portability.

Assumption: there aren’t many strangers in real life business
The idea of ’stranger-to-stranger’ transactions is implicit in open identity theory. Yet most e-business automates routine transactions between parties that have already signed up to an over-arching set of arrangements, like a credit card agreement or a supplier contract. The first and foremost concern of most digital identities should be to faithfully represent existing real world credentials.

Assumption: Relying Party and ‘Identity Provider’ are often the same
The central generalisation in open identity is that Identity Providers are separate from Service Providers or Relying Parties. This idea builds on the intuition that the identity I have with one bank should be recognisable by another, and decomposes each bank’s role into Relying Party on the one hand and Identity Provider on the other.

Yet the idea is fatally flawed, for when you take an identity outside of its original context and try to make sense of it in other contexts, then you break the original terms and conditions. Worse, you undercut any risk analysis that was done on the issuance process. If a bank doesn’t know how its customers are going to use their IDs, how can it manage its risks?

Assumption: there are no surprise credentials
One of the leading new identity technologies claims it can “prove unanticipated … identity assertions”. That is, two strangers can use this solution to work out what they need to know about each other in real-time before they transact. It’s a fascinating approach academically but over-engineered for practical application.

The vast majority of identity assertions in mainstream business are not in fact “unanticipated”. When you go shopping, the merchant anticipates you will present a credit card number. When you log on to the corporate network, the relevant identity assertion is anticipated to be your employee number. When a doctor signs a prescription, the relevant identity is their provider number.

In almost all cases, the transaction context pre-defines what identity will be relevant, and we arrange ahead of time (in designing the transaction software) for the parties to be equipped with the right credentials.

A great deal of effort has been wasted in open identity frameworks, catering for the utopian idea that parties have no prior arrangements, they haven’t anticipated what credentials are needed to support a transaction, and they will instead undertake some real-time negotiation to establish trust. We don’t do business like this in the real world, and I can’t see it ever working out online.

Stephen Wilson, founder of the Lockstep Group, is an analyst, consultant and innovator in digital identity and privacy.