Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Surfacing identity

Editorial Note 19 May 2014: I changed "assertions" to "attributes" in the body of the blog, to use the more popular term right now. See how Bob Pinheiro in his comment rightly used the terms attributes/assertions interchangeably. I'm sure myself attributes, assertions and claims are synonymous for the purposes of "identity management".

The metaphor of a spectrum is often used to describe a sliding scale of knowingness. The degree to which someone is known is shown to range from zero (anonymity), up to some maximum (i.e. "verified identity") passing through pseudonymity and self-asserted identity along the way. It's a useful way of characterising some desirable features of identity management; it's definitely good to show that in different settings, we need to know different things about people. But the spectrum is something of an oversimplification, and it contradicts modern risk management. While it's great to legitimise the plurality of identities (by illustrating how we can maintain several identities at different points on a spectrum), the metaphor is problematic. Spectra are linear, with just one independent variable whereas risk management is multi-dimensional. The metaphor implies that identities can be ordered from weak to strong -- they can't -- and insidiously suggests that identities at the right hand end of the scale are superior.

A Digital Identity is a set of claims (aka attributes) that are meaningful in some context [Ref: Kim Cameron's Laws of Identity]. When an Identity Provider (IdP) identifies me in their context, what they're doing is testing and vouching for a closed set of n attributes: {A1, A2, ..., An}. When a Relying Party (RP) wants to identify me, they need to be satisfied about a number of particular attributes relevant to their business; let's say there are m of them: {Ai, Aii, ..., Am}. These sets are disjoint; the things about me that matter to an RP may or may not be the same things than the IdP is able to assert about me.

Meaningful Identity Federation requires, at the very least, that (1) the RP's m attributes are a subset of the IdP's n attributes, and (2) the IdP has tested each attribute to an acceptable level of confidence for the RP's purposes. When designing a federation, the sets of attributes for all anticipated RPs need to be defined in advance, together with the required confidence levels. Closing the "attribute space" and quantifying all its dimensions is a huge challenge.

When we look at identification risk management in a more multi-dimensional way, each identity looks more like a surface in a multidimensional space than a simple point on a 1D line. For example, let's imagine that a general purpose IdP ascertains and vouches for six attributes: given name, home address, date of birth, educational qualifications, residency and gender. The IdP gauges the accuracy with which it can make each attribute as follows:

Blog identity surface pics 120826 IDP


A1 Given name 90%
A2 Address 90%
A3 DOB 90%
A4 Gender 35%
A5 Qualifications 25%
A6 Residency 25%


For this Identity Provider to be useful to any given Relying Party, the attributes need to be of interest to the RP, and they have to be asserted with a minimum accuracy. Consider RP1, a bank, which needs to be sure of a customer's name, address and date of birth to at least 80% confidence under applicable KYC rules, and doesn't need to know anything else. We can plot RP1's identity expectation and compare it with the IdP's attributes. All well and good in this case, for the IdP covers the RP:

Surface  RP1


Now consider RP2, an adult social networking service. All it wants to know is that its anonymous customers are at least 18 years of age. Its requirement for Attribute 3 is 90%, and it doesn't care about anything else. So again, the IdP meets the needs of this RP (assuming that the identity management technology allows for selected disclosure of just the relevant attribute and hides all the others):

Surface  RP2


Finally, let's look at a hospital employing a casual doctor. Credentialing rules and malpractice risk means that the hospital is more interested in the individual's qualifications and residency (which must be known with 90% confidence), than their name and address (50%). And now we see that RP3's requirements are not covered by this particular IdP:

Surface  RP3


Returning to the idea of a spectrum, there is no sliding scale from anonymity up to "full" identity. Neither can trust in an identity be pinpointed somewhere between LOA 1 and LOA 4. In general, the more serious an identity gets, the more complex and multivariate is the set of attributes that it covers. I'm afraid the pseudonymous social logon experience at LOA 1 doesn't pave the way to more serious multifaceted identity federation "at the other end" of a spectrum. It's not like simply turning up the heat to step up from cold to hot.

Posted in Trust, Identity, Federated Identity

Comments

Sastry TumuluriMon 27 Aug 2012, 3:02pm

Using a spider chart to represent the multiple factors(?) of identity verification is a great idea.

It is not necessary for an IdP to meet all of an RP's needs. Conversely, an RP should design their system to obtain the necessary assertions (not all of them need to be identity-related) from multiple sources, meeting the required criteria (such as confidence level) in any way possible. I believe this is already being practiced but without the "sliding scale of confidence level for each factor". Perhaps one of the challenges is the absence of standardization in quantifying the confidence level.

Overall, a very useful post. Thanks. :)

Jim FentonFri 31 Aug 2012, 9:24am

Steve, very useful post. I definitely agree that a multidimensional model describes best the different needs for reliability of assertions by different relying parties.

But I have a quibble with the statement that pseudonymity is somewhere between anonymity and verified identity. Pseudonymity has its own range of reliability, depending primarily on the strength of the authentication performed by the user. Authentication also affects the reliability of all other assertions.

Stephen WilsonSat 1 Sep 2012, 5:33am

Thanks Jim. I love the idea that an n-D identity will project different one dimensional scales.
I too am uncomfortable with pseudonymity being simply an intermediate state between anonymity and verified identity. For that matter, anonymity too has to be qualified doesn't it? For one thing, someone might have a fictitious OSN handle and think they're anonymous, but should they do something really grievous, forensic investigation will probably track them back to a computer quick sticks (the issue has come up again in Australia this week of prosecuting vile Twitter trolls who drove a celebrity to attempt suicide; it's usually not hard for police to identity them). Further, when strong anonymity is claimed, as with Tor for instance, how do we really know? There are myriad technology and procedural factors that are at play, none of which are audited are they?
So the technological robustness of an identity is an important dimension. Maybe we need to think in terms of Functional and Non-Functional requirements when looking at the ensemble of overt assertions and technological qualities that make up an identity? That goes to the memetics of identity I've been exploring in other threads.
The Australian National Electronic Authentication Framework (NEAF) usefully separated two dimensions along the lines you highlight. NEAF grades trust levels in a matrix with two independent variables: Strength of Registration (how well is the subject known by the IdP) and Strength of the authentication mechanism. That's a well intended approach, but it's not enough. There is no neat linear standardization of mechanism strength; NEAF suggests that passwords are weak, 2FA is better, and biometrics is the strongest, but a poorly implemented biometric (like fingerprint with no liveness detection) is probably weaker than a well chosen, well managed password.
If mechanism strength matters a lot to a Relying Party, they are going to want to know the details, and will not be satisfied by a rolled-up estimate from "1" to "4". Which brings us back to the basic dilemma: for high risk applications, RPs will need to go beyond "LOA 4" and look into the details of each assertion, the IdP's liability disclaimers, the quality of the identity technology and so on and so forth ... all of which are local matters determined by the RP as being relevant to them. And of course, all of these factors are analysed and quantified at design time. The result of the design time risk assessment is a shortlist of IdPs that the RP finds acceptable for the transaction in question. It just cannot be the case that the RP will accept any identity from open ended list of "LOA 4" IdPs. So what's the point of LOAs?

Bob PinheiroSat 8 Sep 2012, 12:59am

You are making a case for claims-based identity, where an "identity" is defined as a set of assertions or attributes that is meaningful to some particular RP. Since different types of RPs will be interested in different sets of attributes/assertions, it’s hard to imagine a single, general purpose IdP that will know in advance all the attributes/assertions that will be of interest to every type of RP. Even if attributes/assertions are combined across several IdPs, the definition of an identity still depends on the requirements of the RPs. So it’s not surprising that it would be difficult for an RP to decide to accept an assertion from one or more IdPs based on some one-dimensional LOA value, without knowing more about what each such IdP is doing.

But I don’t think that makes the LOA concept useless. If “identity” is indeed defined differently for different types of RPs, based on the attributes/assertions of interest to those RPs, it seems likely that different “trust communities” will emerge. For instance, healthcare and financial services may be two such communities, because the identification needs of RPs within these two communities may be different. RPs in each such community will likely have similar sets of attributes/assertions (or a common set) that is of interest to them. Such trust communities will develop their own trust frameworks that govern the various criteria that must be satisfied in order for an RP within that community to trust an assertion from some IdP governed by the same trust framework. So within a given trust community, the LOA concept still makes sense to me as a way to help an RP decide whether it will accept an assertion from some IdP. In this sense, LOA is just a way to categorize the values of an assurance function that takes as input the results of the various assessment criteria needed to determine the overall assurance, within a given trust community, that a particular identity is known with high probability.

If different trust communities develop, each with its own set of attributes/assertions that RPs within that community care about, and each community is governed by its own trust framework, then this breaks the traditional federation model that treats different IdPs as essentially interchangeable (at the same LOA). But that doesn’t necessarily mean a re-emergence of the token necklace problem, where individuals will have to carry around separate physical devices for authentication within each community. The trick is to devise an identity ecosystem that allows people to use a single device that contains all the electronic credentials and private keys needed for easily authenticating to RPs in all the communities they deal with.

Stephen WilsonSat 8 Sep 2012, 6:31pm

Thanks Bob.

I agree wholeheartedly that the trick is for "people to use a single device that contains all the electronic credentials and private keys needed for easily authenticating to RPs in all the communities they deal with". Well, maybe not a single device, but a small number of them, and a very small number of form factors.

I reckon the major challenge in identity management today is really human factors engineering: how do we improve the usability and reliability of digital identities? The identities themselves are shaped by the risks of different types of transactions authenticated by each identity. As Bob indicates, each "trust community" has its own assertions of interest, and standards for accepting them. For the most part, these "trust communities" already exist for the more serious transactions associated with government services, banking, payments, healthcare, the professions and employment. What we need to do most urgently is change the way that digital identities are instantiated.

Here's a presentation I did a couple of years ago, with a few recent updates, espousing the management of diverse digital identities through easy-to-use, intuitive smart devices: http://lockstep.com.au/library/smartcards/smartcards-digital-identity-a.

Post a comment

If you are a registered user, Please click here to Sign In

Your Name*

Your Email Address* required, but won't be displayed on this site

To help prevent spam in our blog comments, please type in "Surfacing" (without the quotation marks) below*