In the past decade our identity has undeniably evolved, we’re preoccupied with identity theft and authentication issues, while governments work to adopt open identity technologies. David Mahdi, a Product Manager at Entrust, explains the critical issues in understanding the very nature of identity in a society actively building bridges between the real and digital world.
What are the critical issues in understanding the very nature of identity in a society actively building bridges between the real and digital world?
While one’s identity in a digital world is analogous to what it is in the traditional “real” world, the challenges and issues associated with trusting one’s digital identity, managing it, and securing it are very different between these two worlds.
The core value to one’s digital identity is Trust. In the real world an individual is able to easily confirm their identity by presenting documents, such as a passport or driver’s license, that have been issued by authorities, based on verifiable information provided by the individual. And because these authorities (such as governments) are trusted, the documents, or credentials they issue can be used by the individual to prove their identity with many different organizations that might be offering services.
In the digital world, however, trust is not as easy to determine. Like the real world, a digital identity must be issued by a trusted authority. The extent to which that digital identity can be used may well be a function of the trust that other organizations put in that Authority. In some cases a digital identity may be issued by a single Authority – a bank, a retailer or even a government agency – and that identity may only be used with that Authority. As a result, to take advantage of the digital world, individuals may have many digital identities. This, however, is not ideal. If the Authority that issues a digital identity is trusted by other organizations, in much the same way that a government issuing passports is trusted, then the digital identities they issue could also be trusted by other organizations, and be used more broadly. But establishing that trust is one of the key challenges of the digital world.
As a result, an individual’s digital identity may actually consist of many different identities, issued by many different organizations, and generally they’ll be used only and trusted by the organization that issued them. This creates a bit of a management nightmare for individuals in the online world as they’re faced with keeping track of which identity is used with which organization, where that identity is stored electronically and, most importantly, how to protect it.
How has individual identity evolved in the digital world?
One of the great opportunities in the digital world is the unparalleled growth of services that are available online – whether it’s for purchasing vacations, accessing health documents, balancing bank accounts and paying bills, or just interacting with friends and business colleagues in a social network or over email. But taking advantage of these services has resulted in an individual having many unique digital identities. Each of these organizations may recognize an individual very differently – and their entitlements with each of the organizations may differ dramatically. An individual’s overall identity, therefore, is a collection of digital identities, all of which must be managed and protected.
While services and networks have expanded, threats in the digital world have also increased – in particular threats related to stealing identities – identity theft. So as individuals take advantage of new services, the number of digital identities they have also expands – and in the absence of an effective way to manage all of these identities, or a consistent way of protecting them, their vulnerability to identity theft also increases.
Would you say fraud is the main catalyst behind authentication innovation?
While many people still lose money to traditional fraud scenarios, such as the massive Ponzi scheme perpetrated by Bernard Madoff, increasingly sophisticated on-line scenarios continue to emerge. Early online attacks, orchestrated largely by “script kiddies” intent on have evolved into sophisticated malware attacks orchestrated by organized crime rings. For the first half of 2010 the Anti-Phishing Working Group (APWG) reported that there were 48,244 phishing attacks occurring across 28,646 unique domain names. At the root of most of these attacks is the use of Social Engineering. Criminals are using very persuasive and often personalized tactics to entice users to take specific actions that will result in the attackers ability to in some way misdirect or take over a users session—or their entire machine!
But fraud is a very broad term that is used to refer to anything from the theft of personal information to the interception of financial transactions. At the end of the day, people who are taking advantage of the Internet want to feel protected from all of these threats online – and a big part of that is having the confidence that their identity is protected. Authentication is an important means of ensuring that a person online is who they say they are – and the means to ensure this is to provide reliable, trusted strong authentication. But for users to adopt stronger authentication it needs to be easy to use so it does not interrupt the typical way in which they interact – it must be flexible, and it must be easily deployed.
Even within organizations the adoption of strong authentication is challenging – while a recent Forrester report indicated that 65% of firms in North America and Europe had adopted strong authentication, it had been rolled out to fewer than 10% to 20% of the employee base.
The desire to provide this broader protection against online threats is certainly an important motivator in to the development of new authentication technologies. As an example, mobile devices, are becoming ubiquitous among online users, and being able to leverage these devices would offer an easy to use, affordable method of authentication that could be easily rolled out to a broad population base. Similarly, authentication methods such as grid cards offers an affordable and easily adopted alternative to traditionally complicated methods such as one time passwords – in turn making stronger authentication accessible to a broad base of users. And to offer these approaches on a single platform, provides organizations with flexibility so they can apply the appropriate authentication method to the type of user, matching their online behavior. All of these innovations have been spurred on by the desire to extend greater protection to the online user.
Nowadays most users have a hard time managing their online identity across multiple websites and services. This comes mainly from a lack of understanding of security risks. Would an official unified identity document like a passport solve the problem or just bring more controversy to the issue?
One of the challenges in the digital world is that individuals receive identities from many different sites, so their digital identity is actually a collection of unique identities, all of which must be managed and protected individually. While a lack of knowledge about security risks certainly makes the user’s experience more difficult, the larger issue is the lack of trust among the issuing authorities – the fact that each agency or site is compelled to issue their own branded identity – and that there is little to no trust of identities issued by different organizations.
An identity that could be trusted by more than one organization would certainly make for an easier user experience, particularly if the identity could be managed and protected seamlessly and transparently to the user.
However, trust between organizations is difficult to establish because organizations often have very different, sometimes competing priorities. Even within government agencies, the jurisdictional concerns make such collaboration difficult – and that is compounded in a competitive environment. Leveraging identities across organizations in some type of federation requires common policies and common processes that are adopted and implemented consistently – and that there is a legal framework governing the Federation.
These are difficult issues to resolve, but the establishment of federations in which identities are trusted would be an important step forward in making it easier for individuals to understand and manage their digital identity. And in the absence of a federation that trusts identities issued by another authority, the number of identities that make up an individual’s overall digital identity, will continue to expand.
What are the key issues we have to deal with when implementing identity management? How can they be resolved?
There are a number of issues that need to be addressed when implementing an identity management solution – much of these can be grouped around administration and deployment, security and lifecycle management of the identities.
One of the first issues in the implementation of an identity management solution is the establishment of trust for the identities. The ability to properly vet the individual before issuing the identity creates a foundation for trust – and the potential extension of the trust framework. The development of a common acceptable framework to issue an identity is an important factor in establishing that underlying trust.
In terms of administration it’s important that an identity management solution can be centrally administered so that policies can be implemented consistently and efficiently throughout the organization. From a security perspective, if central policies cannot be implemented consistently or enforced then it undermines the overall system.
It’s also important that an identity management system provides flexibility to apply different types of identities to different types of users. This reflects the fact that not all users are equal – that different roles may perform different types of transactions, with different risk levels. An effective identity management system will support many different authentication types, which in turn can support different security levels – such as one-time passwords versus digital certificates.
Based on your experience, what’s the quality of the software used to work with open identity standards? What are the missing ingredients?
There’s a lot more acceptance today of the products that are using and leveraging open identity standards than was the case 3 to 5 years ago. However, to a large extent many of the projects that are being implemented are very slow to develop and are very basic applications. As an example, being able to leverage a Google ID across multiple sites is convenient to users and a significant step forward than what has been the case to date, however the applications supported are not high value. The standards that have been developed in this area allow for more robust or stepped up authentication, but to date there has not been a significant movement to leverage this.
What’s your take on government adoption of open identity technologies?
The government has provided a major impetus to the adoption of open identity technologies and to a large extent has led the way. They have been involved in standards-based federated models for many years, based largely on PKI using x.509 certificates.
In more recent years the government has played an important role in driving some of the requirements that need to be addressed for the back-end systems, such as stronger protection of the servers to address privacy concerns. These considerations need to be addressed before these technologies can be leveraged for mass consumption, or for higher value services.