Let's embrace Identity Plurality
In information security we’ve been saddled for years with the tacit assumption that deep down we each have one “true” identity, and that the best way to resolve rights and responsibilities is to render that identity as unique. This “singular identity” paradigm has had a profound and unhelpful influence on security and its sub-disciplines like authentication, PKI, biometrics and federated identity management.
Federated Identity is basically a sort of mash-up of the things that are known about us in different contexts. When describing federated identity, its proponents often point out how drivers licences are presented to boot-strap a new relationship. But it is a category error to abstract this case to as an example of Federated ID, because while a licence might prove your identity when joining a video store, it does not persist in that relationship. Instead the individual is given a new identity: that of a video store member.
A less trivial example is your identity as an employee. When you sign on, HR might sight your driver licence to make sure they get your legal name correct. But thereafter you carry a company ID badge – your identity in that context. You do not present your driver licence to get in the door at work.
Federated Identity posits, often implicitly, that we only really need one identity. The "Identity 2.0" movement properly stresses the multiplicity of our relationships but it usually seeks to hang all relationships off one ID. The beguiling yet utopian OSCON2005 presentation by Dick Hardt shows vividly how many ways there are to be known (although Harte went a step too far when he tried to create a single, albeit fuzzy, uber identity transcending all contexts).
I favor an alternate view - that each of us actually exercises a portfolio of separate identities and that we switch between them in different contexts. This is not an academic distinction; it really makes a big difference where you draw the line on how much you need to know to set a unique identity.
Kim Cameron’s seminal Laws of Identity deliberately promoted the plurality of identity. Cameron included a fresh definition of digital identity as “a set of claims made by one digital subject about itself or another digital subject”. He knew that this relativist definition might be unfamiliar, admitting that it “does not jive with some widely held beliefs – for example that within a given context, identities have to be unique”.
That "widely held belief" seems to be a special product of the computer age. Before the advent of “Identity Management”, we lived happily in a world of plural identities. Each of us could be by turns a citizen, an employee, a chartered professional, a customer, a bank account holder, a credit cardholder, a patient, a club member, another club official, and so on. It was seemingly only after we started getting computer accounts that it occurred to people to think in terms of one "primary" identity threading a number of secondary roles. Conventional Access Control insists on a singular authentication of who I am, followed by multiple authorisations of what I am entitled to do. This principle was laid down by computer scientists in the 1970s.
The idea that we need to establish a true identity before granting access to particular services is unhelpful to many modern online services. Consider the importance of confidentiality in "apomediation" (where people seek medical information from non technical but "expert" patients) and online psychological counselling. Few will enrol in these important new patient-managed healthcare services if they have to identify themselves before providing an alias. Instead, participants in medical social networking will feel strongly that their avatars’ identities in and of themselves are real.
Despite the efforts of Kim Cameron and others, the singular identity paradigm has proved hard to shake. In practice, and despite the plurality in the Laws of Identity, most federated identity formulations actually reuse identities across totally unrelated contexts, in order to conveniently hang multiple roles off the one identity.
The old paradigm also explains the surprisingly easy acceptance of biometrics. The very idea of biometric authentication plays straight into the world view that each user has one “true” identity. Yet these technologies are deeply problematic; in practice their accuracy is disappointing; worse, in the event a biometric is ever stolen, it's impossible with any of today's solutions to cancel and re-issue the identity. Biometrics’ overwhelming intuitive appeal must be based on an idea that what matters in all transactions is the biological person. But it’s not. In most real world transactions, the role is all that matters. Only rarely (such as when investigating fraud) do we go to the forensic extreme of knowing the person.
There are grave risks if we insist on the individual being bodily involved in routine transactions. It would make everything intrinsically linked, violating inherently and irreversibly the most fundamental privacy principle: Don’t collect personal information when it’s not required.
Why are so many people willing to embrace biometrics in spite of their risks and imperfections? It may be because we’ve been inadvertently seduced by the idea of a single identity.
Posted in Identity, Federated Identity, Culture, Biometrics
Ski runs and LOAs
In Identity Management, Levels of Assurance are an attempt to standardise the riskiness of online transactions and the commensurate authentication strength needed to secure them. Quaternary LOAs (levels 1/2/3/4) have been instituted by governments in the USA, Australia and elsewhere, and they're a cornerstone of federated identity programs like NSTIC.
All LOA formulations are based on risk management methodologies like the international standard ISO 31000. The common approach is for organisations to assess both the impact and expected likelihood of all important adverse events (threats) using metrics customised to the local business conditions and objectives. The severity of security threats can be calculated in all sorts of ways. Some organisations can put a dollar price on the impact of a threat; others look at qualititative or political effects. And the capacity to cover the downside means that the same sort of incident might be thought "minor" at a big pharmaceutical company but "catastrophic" at a small Clinical Research Organisation.
I've blogged before that one problem with LOAs is that risk ratings aren't transferrable. Risk management standards like ISO 31000 are forumulated for internal customised use, so their results are not inherently meaningful between organisations.
Just look at another type of risk rating: the colours of ski runs.
All ski resorts around the world badge the degree of difficulty of their runs the same way: Green, Blue, Black and sometimes Double Black. But do these labels mean anything between resorts? Is a Blue run at Aspen the same as a Blue at Thredbo? No. These colours are not like currency, so skiers are free to boast "that Black isn't nearly as tough as the Black I did last week".
LOAs are just like this. They're local. They're based on risk metrics (and risk appetites) that are not uniform across organisations. They cannot interoperate.
As far as I am aware, there are as yet no examples of LOA 3 or 4 credentials issued by one IdP being relied on by external Service Providers. When there's a lot at stake, organisations prefer to use their own identities and risk management processes. And it's the same with skiing. A risk averse skier at the top of a Black run needs more than the pat assurance of others; they will make up their own mind about the risk of going down the hill.
Posted in Language, Federated Identity
Niche is a better word for it
With the term "ecosystem" being bandied about so much, I started thinking ecologically last year. A two part particle on my new Ecological Theory of Identity is being published in SC Magazine Australia.
Here's a little extract of the next installment:
If we think ecologically, we can better explain the surprising power of context in identity management. It is ironic that the Laws of Identity emphasise the importance of context, and yet federated identity programs repeatedly underestimate how strongly IDs resist changing context.
The tight fit that evolves between each given identity and the setting in which it is intended to be used is best described as an ecological niche. As with real life ecology, characteristics that bestow fitness in one niche can work against the organism -- or digital identity -- in another.
Identity "silos" are much derided but we can see now they are a natural consequence of how all business rules are matched to particular contexts. The environmental conditions that shaped the particular identities issued by banks, credit card companies, employers, governments and professional bodies are not fundamentally changed by the Internet. As such, we should expect that when these identities transition from real world to digital, their properties -- especially their "interoperability" and liability arrangements -- cannot readily adapt.
So, taking a mature digital identity (like a university student ID) out of its natural niche and hoping it will interoperate in another context (like banking) is a lot like taking a salt water fish and dropping it into a fresh water tank.
On the other hand, the ecological frame neatly explains why the purely virtual identities like blogger names, OSN handles and gaming avatars are so highly interoperable: it's because their environmental niches are not so specific. Thinking about how quickly and widely social identities like Facebook Connect have spread, in a very real sense we can describe them as weeds!
My longer article on a new ecological theory of digital identity is available here.
Posted in Identity, Federated Identity
Farmers know about silos
Imagine this. Two grain growers are neighbours. One farms wheat and the other corn. Both have invested a lot of money in their silos and grain handling equipment, all of which continues to be a significant cost in their operations. The corn farmer is an innovator and comes up with a bright idea. She approaches her neighbour and gives him the following proposition: since their infrastructure is such an overhead, why not, in the name of efficiency, join up and share their silos?
What farmer wouldn’t reject this idea out of hand? If a grain grower needs more capacity, in theory they could re-engineer the entire storage and handling system to use someone else's silo, strike up new support arrangements with their equipment providers, and seek insurance to cover new risks of mixing up their grains. But it would be simpler, cheaper and quicker to just build themselves another silo!
"Break down the silos" is one of the catch cries of modern management practice, and it’s a special rallying call in the Federated Identity movement. Nobody denies that myriad passwords and security devices have become a huge headache, but attempts to solve what is really a technology and human facors challenge, by sharing identities and identity provisioning all too often come unstuck.
It’s not for nothing that we call identity domains "silos". Grain silos are architecturally elegant, strong and safe; they are critical infrastructure for farmers.
Of all the metaphors in identity management, "silo" is actually one of the good ones. And you have to wonder when and why it became a dirty word in our industry. Identity silos are actually carefully constructed risk management arrangements and in IDAM, risk is the name of the game. As such, silos are not to be trifled with!
Posted in Security, Language, Federated Identity
Federation is at odds with infosec best practice - and nature
In modern information security we implore businesses to understand the risks of their particular business contexts, and to enact security mechanisms that are attuned to their environment. There is no one-size-fits-all risk management arrangement. And infosec professionals frown upon one company uplifting another's security system without first analysing their own situation and fune tuning the controls.
The inherent differences between business settings is the clear reason why authentication rules have evolved into different silos.
And yet the dominant idea in contemporary identity management remains federation: the unreal optimism that one identity can efficiently work across multiple unrelated contexts.
It seems to me like a law of nature - perhaps something like a Conservation of Risk Management Energy - that the effort and cost required to devise one identity that interoperates across N contexts cannot be less than the total overhead of maintaining N separate identities.
It's truer today than ever before: you cannot cut corners in risk management.
Posted in Security, Federated Identity
Bob is dead
With apologies to Friedrich Nietzsche. The hero of many a crypto folk tale Bob is dead, and we have killed him.
We now know that in PKI, Alice's Relying Party is almost always a machine and not a human being. The idea that two strangers would use PKI to work out whether or not to trust one another was deeply distracting and led to the complexity that in the main stymied early PKI.
All of which might be academic except the utopian idea persists that identity frameworks can and should underpin stranger-to-stranger e-business. With NSTIC for instance I fear we are sleep walking into a repeat of Big PKI, when we could be solving a simpler problem: the robust and bilateral presentation of digital identity data in established contexts, without changing the existing relationships that cover almost all serious transactional business.
The following is an extract from a past paper of mine, "Public Key Superstructure" which was presented to the NIST IDTrust Workshop in 2008. There I examine the shortfalls and pitfalls of using signed email as a digital signature archetype.
E-mail not a killer application for PKI
A total lack of real applications would explain why e-mail became by default the most talked about PKI application. Many PKI vendors to this day continue to illustrate their services and train their users with imaginary scenarios where our heroes Alice and Bob breathlessly exchange signed e-mails. Like the passport metaphor, e-mail seems easily understood, but it manifestly has not turned out to be a ‘killer application’, and worse still, has contributed to a host of misunderstandings.
The story usually goes go that Alice has received a secure e-mail from stranger Bob and wishes to work out if he is trustworthy. She double clicks on his digital signature and certificate in order to identify his CA. And now the fun begins. If Alice is not immediately trusting of the CA (presumably by reputation) then she is expected to download the CP and CPS, read them, and satisfy herself that the registration processes and security standards are adequate for her needs.
Does this sort of rigmarole have any parallel in the real world? A simple e-mail with no other context is closely equivalent to a letter or fax sent on plain white paper. Under what circumstances should we take seriously a message sent on plain paper from a stranger, even if we could track down their name?
In truth, the vast majority of serious communications occurs not between strangers but in a rich existing context, where the receiver has already been qualified in some way by the sender as likely being the right party to contact. In e-business, routine transactions are not usually conducted by e-mail but instead use special purpose software or dedicated websites with purpose built content. Thus we see most of the digital signature action in cases such as e-prescriptions, customs broking, trade documentation, company returns, patent filing and electronic conveyancing.
Several important simplifying assumptions flow from the fact that most e-business has a rich context, and these should be heeded when planning PKI:
Emphasise straight-through processing
In spite of the common worked example of Alice and Bob exchanging e-mails, the receiver of most routine transactions – such as payment instructions, tax returns, medical records, import/export declarations, or votes – is not a human but instead is a machine. The notion that a person will examine digital certificates and chase down the CA and its practices is simply false in the vast majority of cases. One of PKI’s great strengths is the way it aids straight-through processing, so it has been a great pity that vendors, through their training and marketing materials, have stressed manual over automatic processing.
Play down Relying Party Agreements
The sender and receiver of digitally signed transactions are hardly ever un-related. This is in stark contrast to orthodox legal analyses of PKI which foundered on the supposed lack of contractual privity between Relying Party and CA. For example the Australian Government’s extensive investigation into legal liability in digital certificates after 76 pages still could not reach a firm conclusion about whether a “CA may owe a duty of care to a [Relying Party] who is not known to the CA” [http://www.egov.vic.gov.au/pdfs/publication_utz1508.pdf]. The fact is, this sort of scenario is entirely academic and should never have been given the level of attention that it was. The idea of a “Relying Party Agreement” to join in contract the RP and the CA is moot in all “closed” e-business settings where PKI in thriving. It is this lesson that needs to be generalised by PKI regulators, not the hypothetical model of “open” PKI where all parties are strangers.
Play down certificate path discovery
The fact that in real life, parties are transacting in the context of some explicit scheme, means that the receiver’s software can predict the type of certificate that will most often be used by senders. For instance, when doctors are using e-prescribing software, there is not going to be a wide choice of certificate options; indeed, the appropriate scheme root keys and certificates for authenticating a whole class of doctors will likely be installed at both the sending and receiving ends, at the same time that the software is. When a doctor writes a prescription, their private key can be programmatically selected by their client and invoked to create a digital signature, according to business rules enshrined in the software design. And when such a transaction is received, the software of the pharmacist (or insurance company, government agency etc.) will similarly ‘know’ by design which classes of certificates are expected to verify the digital signature. All this logic in most transaction systems can be settled at design time, which can greatly simplify the task of certificate path discovery, or eliminate it altogether. In most systems it is straightforward for the sender’s software to attach the whole certificate chain to the digital signature, safe in the knowledge that the receiver’s software will be configured with the necessary trust anchors (i.e. Root CA certificates) with which to parse the chain.
Posted in PKI, Identity, Federated Identity
Despite the IdM hype, privacy and security remain uneasy bedfellows
The information security sub-specialisation of Digital Identity has spurred prodigious activity in the past decade, from academics, policy makers and IT vendors. We’ve seen new “Laws of Identity”, national identity strategies, numerous big industry consortia, many new technical standards for federating identities and exchanging interoperable “identity assertions”, and a flood of new products. All the while, enhanced privacy is held to be axiomatic in the new identity frameworks.
Yet despite all this, technologists’ views on privacy have been diverging, often dramatically. Data breaches by big information companies―whether accidental or slyly intended―seem to have only got worse. The responses of security professionals to cases like the collection of wifi data by Google Streetview cars have been muddle-headed, with many not seeing the problem at all. Social network operators like Facebook and Google have sought to re-cast societal norms, by banning nicknames and insisting that members use only their one “real” name. Facebook’s Mark Zuckerberg argues that those who use more than one name lack integrity.
Distressingly, at every level, security and privacy remain very uneasy bedfellows.
Technocrats give lip service to privacy. They skate over privacy principles, often presuming to know what privacy laws say without actually reading them. In their deeds and in their crazy talk, the Zuckerbergs and Schmidts of the world reveal grave misunderstandings about the topic. Of course it passes understanding that anyone listens to these guys on privacy when their multi-billion dollar fortunes are made on the back of pirating Personal Information.
And yet even well meaning technologists also seem to be on a different wavelength from privacy strategists. For instance, the architects of OpenID and grand plans like NSTIC try to deal with privacy and yet the claimed privacy benefits are problematic when looked at closely. Orthodox federated identity brings a host of privacy challenges that have not yet been properly canvassed (possibly because US privacy perspectives are especially “high tech” whereas in other jurisdictions, information privacy focuses on controlling the flow of personally identifiable information, which is often a surprisingly low tech business). I see immense privacy challenges in federated identity formulations, including:
- Many Identity Providers will be start-ups. Or existing enterprises setting up new business units to strike out into brand new cyber markets. Either way, in a spookily familar action replay of Big PKI in the 1990s, these players will be aggregating vast amounts of Personal Information, making them honey pots for organised crime, and lucrative corporate takeover targets.
- The net amount of PI collected in the federated identity “metasystem” is larger than what is collected today.
- Federated Identity transforms time-honoured private bilateral transactions into complicated multi-lateral dealings, with excessive PI being collected where previously it was not needed.
- The new privacy constructs are highly technical and artificial. For instance, “Verified Anonymity” services work by collecting PI only to hide it from others.
A re-think of security and privacy is urgently needed. Let’s recognise that digital identity is really a metaphor for the way we act in certain complex relationships. As such, “identity” is not an intrinsic characteristic at all but instead is an emergent property of the collection, use and disclosure of personal information in different contexts. It’s not the sort of stuff that demands fancy new theories, just a recognition that we deal with individuals in constrained ways in the real world, and we should continue to do so online. If we could just demystify digital identity a little, we should find it easier to marry information privacy and security.
Posted in Privacy, Identity, Federated Identity
Customer, How do I know thee?
One of the main contentions of the Identity Metasystem, NSTIC and like models is that banks, governments, telcos, universities and so on will be able to generalise their roles as Identity Provider, so that their customers can use their identities with other system participants. See for example "Envision it" No. 5 in the NSTIC strategy paper:
Ann learns that her recently issued bank card and her new university card are both Identity Ecosystem-approved credentials She also discovers that her email provider and social networking site accept both of these credentials, while her health care provider and local utility companies accept the higher assurance bank card.
I agree it's useful to model banks and other institutions as issuing identities to their customers, but it's only a model. "Identity" is really a metaphor here; to be precise, digital identities are proxies for the relationships that certain organisations have with their members or customers. They cannot be taken out of their traditional contexts and bent without limit to suit other contexts without eventually breaking them. The identities issued by banks are special purpose and cannot be easily opened up to new Relying Parties. Past attempts to open up banking identities and federate them into other domains -- like the Australian Trust Centre and the Internet Industry Association Two Factor Authentication hub -- could not convince banks that the risks were manageable while delivering a positive nett benefit.
There is a promise in many federated identity formulations -- like NSTIC -- that banks will be able to become IdPs for external Relying Parties, based on the fact that they already know their customers so well, and the system will provide arrangements for others to rely on that knowledge. How would that work in detail?
A would-be IdP must work out what knowledge it has about its customers that it is prepared to warrant to outside RPs, and for what purpose, and with what limitations. At present, a bank knows its customers with sufficient precision to suit its own purposes (and banking regulators). But underwriting identity assertions for the benefit of outsiders brings new risks to the bank that they have never before had to contemplate.
If the bank wants to productize the identification of its customers, then it needs to analyse its liability in the event that transactions go wrong between its customers and those external RPs. This is a tough problem when the bank has no necessary connection with those RPs, nor any control over the transactions. Of course, the bank might seek to gain some control, by qualifying just what it is that its customers are allowed to do with their bank-issued identities. But then this starts to look like the fine print that helped to sink Big PKI over a decade ago.
I reckon that the cost of even analysing the risks, much less putting new contractual (or legislated) liability arrangements in place will outweigh the costs of merely maintaining the diverse and separately evolved identities we have today. There is a middle road, where IdPs could qualify what their identities are good for (e.g. Bank A might support Health Care Providers P, Q, T and W and no others) but this would significantly dilute and devalue the vision of NSTIC. It's not what the strategy promotes.
Posted in Federated Identity, Identity
Remember that Digital Identity is a metaphor
The seminal Laws of Identity define a Digital Identity as a set of claims made by one digital subject about itself or another digital subject.
It's important that this is a metaphor. Intellectually, it is a very powerful formulation, and I have no essential objection to it. Yet unfortunately the word "identity" in day-to-day use is suggestive of a sort of magic property that can be taken out of one context and freely applied in another. So despite the careful framing of the Laws of Identity, many people still carry around a utopian idea of a singular digital identity based on a different metaphor, and they often appeal expressly to another metaphor: the passport. The tacit belief in the possibility of a universal digital passport has been a long standing distraction, and terribly unhelpful, for there is no such thing in the sense the word is used by technologists.
Ever since the early days of Big PKI, there has been the beguiling idea of an all purpose credential that will let its bearer into all manner of online services, and enable total strangers to “trust” one another online. Later Microsoft of course even named an early digital identity service “Passport”, and the word is still commonplace in discussing authentication products. The idea is that the passport allows you to go wherever you like, yet the concept that the metaphor alludes to doesn’t exist.
A real world passport simply doesn’t let the holder into any country. To begin with, a passport is not always sufficient; you often need a visa. Then, you can’t stay as long as you like in a foreign place; some countries won’t let you in at all if you carry the passport of an unfriendly nation. You also need to complete a landing card and customs declarations specific to your particular journey. And finally, when you’ve got to the end of the arrivals queue, you are still at the mercy of an immigration officer who usually has the discretion to turn you away based on any other evidence they may have to hand. As with business transactions, there is much more to border control than identity. So if we could create the universal digital identity, we would do well to call it something other than “passport”!
Metaphors are more than wordplay; they are used to teach, and once learned, simplistic mental models like “electronic passport” can be deeply unhelpful. The dream of general purpose digital certificates is what derailed PKI. When they tried to implement digital passports, as general purpose digital certificates, they turned out to be unwieldy, riddled with fine print, and very rarely could they be used anywhere on their own. That is, "passport" is easier said than done, so it's a really lousy metaphor.
Yet with “open” federated identity frameworks, we’re unwittingly repeating many of the missteps of early PKI, largely because people are still failing to see the devilish details beneath the metaphors.
The well-initiated get that the Laws of Identity and worthy schemes like NSTIC all involve a plurality of identities tuned to different contexts. Many federated identity supporters expressly deprecate the idea of having a single all-purpose cyber identity. Yet NSTIC in particular is easily confused by many with a single new ID; a crazy number of press reports represent it as a "passport" or an Internet "driver licence". It's a misunderstanding that is actually exacerbated by the strategy’s own champions when they use terms like “interoperable” without enough care, and casually imagine that a student in future will log in to their bank using their student card.
The Laws of Identity teach that identities are context dependent. That is, you cannot expect that an ID issued in one context will operate seamlessly in another. If we unpack the digital identity metaphor, then it's actually obvious that identities don't easily interoperate. A set of claims made about me in one context such as my employment might include my length of employment, position, purchasing authority, office phone number, superannuation account number, and above all, my employer's imprimateur for me representing the organisation. Or if I were enrolled at university, my student identity might include assertions of my student number, my faculty, the stage of my course, and my eligibility to get into certain laboratories and certain online collections. What can such claims say about me in another context, say banking or healthcare? Very little.
A curious omission in the Laws of Identity has always been interoperability. The interoperability of atomic claims like date of birth, home address, credit card number, student number or SSN is almost trivial; some services recognise these claims and have business rules that use them, while others don't. But the "interoperability" of a rolled-up set of claims like "Steve Wilson is employed by Lockstep Pty Ltd." is almost moot. It says a lot about me in the context of a Relying Party doing business with Lockstep as represented by me, but my corporate identity means nothing to retailers, personal health services, my personal bank, or even the video store.
Posted in Language, Identity, Federated Identity, Security
I just don't get Levels of Assurance
IDAM practitioners and government authentication policy makers have settled on a generic quaternary categorisation of transaction risk and of quality-of-enrolment. Let's recap: the idea is to characterise the seriousness of a transaction in terms of LOA 1/2/3/4 and then match the LOA of the party you’re planning to do business with. Quaternary LOA schemas are codified in NIST SP 800-63 and described more loosely in the Australian National Electronic Assurance Framework (NEAF).
The idea of LOAs came from risk management methodologies and standards like AS 4360 and now ISO 31000. These approaches involve gauging the severity and frequency of anticipated adverse events, and combining them to deduce a rolled-up risk rating for each event on an ordinal scale, like {Negligible, Low, Medium, High, Extreme}. Examples given in the NEAF documentation use consequence-severity tables lifted straight out of AS 4360.
A powerful feature of this approach is that each enterprise is empowered (in fact expected) to create its own internal calibrations of adverse events. Severity can be gauged in different ways, by referencing monetary losses, health consequences, political impact and so on, and the most appropriate frame will depend on the business environment. Organisations also set their own policies for what level of risk is acceptable for each anticipated threat. So some will not tolerate residual risks that are worse than Low, while others will live with Medium risks on a case-by-case basis with special contingency plans.
As a result, risk determinations made against ISO 31000 and the like are not transferable between organisations. Simply saying that a certain event (for example compromise to a user account) has a risk rating of “Medium” tells someone outside the organisation nothing at all about the details of the threat, its impacts, its expected likelihood, nor how it might be mitigated.
And yet the authentication LOA paradigm has us pick and choose externally issued identities based on a rolled up rating of LOA 1, 2, 3 or 4. There really cannot be any definitive assurance that all “LOA 3” credentials for instance issued by all IdPs are equivalent, nor that they will satisfy the detailed needs of all Relying Parties conducting “LOA 3” transactions.
The idea of quaternary LOAs was based on schemas that are used to communciate risk within organisations. They do not work for communciating about risk between organisations, and therefore the same approach is as useful for LOAs as it might first appear.
Posted in Internet, Identity, Fraud, Federated Identity, Security