Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Total cost of ownership of Multiple Identities

Federated Identity and before that, Single Sign On (SSO), are responses to the password plague. The cost of managing multiple passwords and multiple identities rises as they proliferate. The total cost of identity management encompasses the time and personal burden of keeping track of them all, the resources wasted on password resets and similar administrative overheads, and the extra effort needed to enrol afresh for each new identity.

I don't know if there are formal studies of Total Cost of Ownership (TCO) in Identity Management, but people figure intuitively that it goes like this:

Slide1 v2

It seems reasonable. The more ids, the more the hassle and effort, and the higher the cost.

Yet can we assume that the reverse applies? If we reduce the number of ids, will the TCO fall? It depends how far down we want to go. The implicit assumption in SSO is that the total cost of having just one identity will be minimum. But SSO turned out to be easier said than done; the initials have come to mean "Simplifed" Sign On. So what's going on here?

My experience of federated identity is that there are major legal complexities and costs that are often unanticipated when framing these initiatives. In particular, when a service provider like a bank or government agency wants to authenticate its customers through a third party identity, there are significant new overheads. The service provider's risk assessment needs to be reviewed, and quite often, negotiations will be entered into with the new identity providers (or applicable authentication brokers). By the same token (pun intended) if an identity issuer like a bank is going to allow their customers to re-use those identities for additional services, then there will need to be new contracts and Ts&Cs drawn up.

The more powerful the federated identies, the more complex will be the new arrangements.

Therefore the TCO of a set of identities will at some point start to increase as the size of the set drops. Nobody as yet has got close to a single identity. Big PKI failed in that ambition. Even in the reasonably closed banking environment, attempts to federate a single identity, like the Australian Trust Centre and "MAMBO" initiatives failed to get off the ground, partly because of unresolved contractual complexities. These snags point to higher costs, not lower.

So it must be the case that the relationship between TCO and the number of discrete identities anyone has is bowl shaped, as below. The cost of a single identity is incalculable, and might literally be infinite (i.e. the single ID is unattainable) since the fine print associated with any 'master ID' will mean that it cannot in fact meet the needs of all Relying Parties.

Slide2

An interesting research question is: what is the value of the 'ideal' number of identities where TCO is at a minimum? An empirical ballpark estimate is 10-15, based simply on the number of identities most us currently carry in our purses and wallets. We can think about this magic number ecologically. If the current business ecosystem has settled on a dozen or so discrete identities (bank accounts, credit cards, a driver licence, a public health insurance card, a private health insurance card, an employee ID, a passport) then the cost of consolidating them is probably higher than the cost of leaving them alone, otherwise we would have seen natural federation already.

Posted in Security, Identity, Federated Identity

Comments

Simon WoodsThu 3 Feb 2011, 4:53am

Initially our focus was introverted and we saw the world ending at the edge of our enterprise. A little like gravity where the simple rules worked to a point after making some major assumptions :-). We have spend years consolidating our enterprise ID's to a single global ID and give ourselves a pat on the back for being so advanced. In this case we really have seen a massive reduction in TCO and this is certainly a process which must continue.

What you are also saying though is that the problem space has a dimension not yet visible for most classical enterprises (the federated id's == relativity theory -> travelling at the speed of light problem - sorry - watched too much Star Trek). I am not quite sure if I would put these identities directly on the same map as the enterprise ones but the effect is the same.

My personal opinion is that the contractual problem is to some extent solvable, but not necessarily by the organisations which are leading the technological developments today. Those that do have a chance to make a difference are the service providers who already have contractual agreements with their customers. An additional contract to deal with identities is most certainly non trivial but within reachable bounds. We will see though how this develops in the next months and years :-).

Stephen WilsonThu 3 Feb 2011, 9:33am

Simon, all contractual problems are solvable, but the more complex the contract, the greater the cost. You're right that there are existing contracts between the 'obvious' identity providers -- banks, telcos, govt agencies -- and their customers, but these agreements always limit (and sometimes ban) how customers can exercise their identities with others. A bank today generally won't allow me to use my OTP to authenticate to an e-store (let alone another bank!). Changing these contracts is very difficult because a whole new risk assessment needs to be done, in anticipation of transactions that have not been sanctioned previously. The exercise takes banks and governments well outside their comfort zones. Moreover, the IdPs also need to write contracts with RPs, so everyone knows where they stand on liability. And these IdP-RP contracts are brand new. What I have seen now three times in separate Australian federation projects is lawyers looking at these new sorts of contracts and advising "This has never been done before". This makes the TCO incalculable. The only way to keep cost under control is to load up the IdP-RP and IdP-user agreements with exclusions and fine print, in effect reducing the power of the identities concerned. And so we never actually get to one effective ID.

Simon WoodsThu 3 Feb 2011, 10:56am

Absolutely. I also would agree that the usual IdP's are not geared for this kind of thing. My example for service providers also only really works (easily) for Business to Business communication within a certain community. The point is though - if I am service provider managing a business's identities (because I run their AD or their local SSO system) then I already have contracts with them on how to manage their users and have a certain level of data protection issues covered. This is part of a larger package. In this case it is possible that the increased costs can be viewed in a wider context. It does not change the effective costs but it could raise the pain threshold to a point where they can actually offer something useful :-).

NZNFri 4 Feb 2011, 5:47am

You both make some excellent points and observations.
There is going to be a tremendous strategic advantage to the society/community that adopts an approach to IDentity structure by yielding to the fact that the best case scenario is composed of an IDentity unlike any now existing on the planet... because the origin of IDentity is presently mis-structured, and thus the methodology of IDentity management is mis-construed.

Each Individual IDentity should be able to define the "ideal" number of useful IDentities where TCO is at a minimum. No other construct is capable.

In order to deliver that user empowerment/capability, the database must have an appropriate relationship with the IDentity source. No matter how you get there, Constitutions are going to be rewritten.

We can not structure IDentity right until we have the structure of society defined as the Internet requires/enables. IDentity structure is going to rewrite Constitutions, and thereby every single contract now existing. The innate premise of IDentity is flawed under modern law and structure, and every account that forms on our current foundation reiterates the flaw. In Facebook, I am a data-slave, because as an American citizen I am a data-slave... because I do not own my IDentity in an appropriate way.

There is a practical path ahead, but it comes at the cost of convention. The only winners will be every Individual, the byproducts of their creative efforts, and the entities that they build to store and develop their values.

Post a comment

If you are a registered user, Please click here to Sign In

Your Name*

Your Email Address* required, but won't be displayed on this site

To help prevent spam in our blog comments, please type in "Multiple" (without the quotation marks) below*