Banking Review

Give me an ‘s’!

No one is shaking pom poms with excitement and standing up
and cheering for the US’s pluralisation of internet IDs

BY STEPHEN WILSON

It’s amazing what the omission of a single letter ‘s’ can do to the meaning of a complex idea, like digital identity.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) released by the Whitehouse last month, is a proposal for a new “ecosystem” of diverse internet IDs. That’s identities plural. Yet most reporting describes NSTIC in terms of a single internet ID.

Thankfully, Western governments are not going down that path. NSTIC is a sincere attempt to improve privacy and confidentiality, and foster the security industry.

Yet haven’t we trod this ground before? “Federated Identity” has proven fiendishly difficult among banks even when they’re working with agreed ID protocols. What hope can there be that new identification standards could interoperate across entirely different sectors?

The starting point of identity federation is that we each maintain a suite of different identities or relationships, each meaningful in a specific context. This reflects how we manage our affairs in real life. We seamlessly (and innocently) adopt different guises at work, at play and at home. For example, I have different responsibilities (and emotions too) when I do my banking as a company director compared to when I act as an employee or as my sports club treasurer.

The only way to have our security and privacy at the same time _ and retain the option of anonymity when appropriate _ is to preserve this plurality of identities as we transition from real world to digital.

Password plague
We are at a delicate stage in the evolution of the digital economy. Crude authentication mechanisms like passwords and one-time PIN generators were fit for engineers in the 1970s but have been casually carried over into the internet age where they have blown up in spectacular fashion. When a computer programmer has three or four passwords at work, it goes with the territory. But when Mum and Dad need dozens of them for banking, shopping, paying bills, mailing, phoning, skyping, networking, listening, reading and booking a doctor’s appointment, we have a very big problem.

The IT industry’s response to the password plague has been to try and re-use or ‘federate’ identities. Superficially, many of our identities seem the same. So the logic goes, why should we endure the hassle of re-identification every time we access a new online service? This vision is especially beguiling in banking where it seems all institutions go through the same 100-point check with new customers.

Whitehouse cyber security chief Howard Schmidt recently blogged about the NSTIC. “Imagine,” he wrote, “that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log into her bank, her email, her social networking site, and so on, all without having to remember dozens of passwords.”

Federated identity certainly speaks to real needs, but it’s easier said than done. Experiences such as the Australian banks’ Trust Centre initiative, Liberty Alliance in the US and OpenID prove that moving to new identification arrangements plays havoc with long-standing business relationships and liability agreements.

How can a bank be expected to underwrite risks arising when customers use the ‘identities’ it issues in new business over which the bank has no control? When we look closely we realise that federated identity is a truly radical step. All financial transactions today are managed in a tightly knit, closed environment. We enjoy the security and certainty of either bilateral arrangements between bank and customer, or highly governed multi-lateral contracts such as credit card agreements. Interposing new intermediaries to vouch for identity or other attributes inevitably means major contract variations. When they say identity management “is not a technology issue”, they’re right. It’s a legal jungle.

Legal quicksand

The biggest obstacle in the financial sector might be legislation. Strict protocols are set down in the Financial Transaction Reports Act and the AML rules. They do now allow for online identification but they still prescribe certain identity documents.

Federated Identity on the other hand adopts a generic four-step ‘Trust Level; so that phone companies, universities, governments and banks can all talk the same identity language.

The trouble is, this is a new language, and it needs to be agreed before the legislative changes can even be scoped, let alone drafted. It is surely premature to talk about an identity ‘ecosystem’ when the liability arrangements haven’t taken shape even vaguely.

We do a pretty good job identifying and trusting people in the real world. The online problems actually are technological. First, we need two-factor authentication devices that are universally easy to use. And second, we need to exchange digital identifiers and other personal data in non-replayable ways that resist copying and take-over.

Identification and trust are not perfect, but we don’t make enough errors to justify overturning the way we do business, as federated identity demands we do.

Stephen Wilson, founder of the Lockstep Group, is an analyst, consultant and innovator in digital identity and privacy.