Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

The False Allure of Federated Identity

A presentation to the Cyber Security Summit, Sydney, 2nd August 2012.

Extract

Identity in the real world is no mystery. We all know what’s meant by individual identity, alongside national, cultural, corporate and multiple identities. But when we went online, we made a mess of it. Engineers for years have felt the need to analyse and redefine identity, to solve theoretical problems like “stranger to stranger” e-commerce. Along the way they turned relatively straightforward technology problems into sociological, philosophical and intractable legal problems.

A great many Federated Identity schemes, companies and technologies have struggled and failed. In Australia, two well intended and well resourced banking federations were cancelled. The cause is too often misjudged to be a lack of cooperation. The more likely reason is that federation is harder than it looks. In the case of MAMBO (which hoped to create a single life-long account number usable at any Australian bank), the banks discovered that BSBs are ‘deep in their DNA’ and the total cost of reengineering business arrangements for a single portable account was greater than first thought. Even Microsoft couldn’t make Cardspace succeed, despite it being the supreme expression of the widely accepted “Laws of Identity”. There is as yet no satisfactory unified explanation for the failure of Cardspace. I contend that the problem is in Federated Identity itself. We sorely need to understand these failures if we can have faith in the “identity ecosystem” and the future of such grand plans as the US National Strategy for Trusted Identities in Cyberspace (NSTIC).

Major efforts are currently underway to construct a new identity “ecosystem”. In truth, most of the proposals are elaborate architectures and not true ecosystems. Natural ecosystems evolve in response to real world environmental challenges, whereas artificial ecosystems tend to be fragile and need constant care and intervention to stave off collapse.

Instead of building new ones, we should look more closely at existing identity ecosystems and metasystems. The past twenty years has seen a great variety of identity methods and devices emerge. In parallel, Internet business has developed under the existing metasystem of laws, regulations, contracts, industry codes and traditional risk management ploys.

The very variety of identity methods suggests an ecological explanation. It seems most likely that different methods have evolved in response to different environmental pressures.

Each digital identity can be unpacked into discrete traits relating to security technique, registration process, identification requirements, user interface, algorithms, key lengths, liability arrangements and so on. These traits can be seen as memes: heritable units of business and technological “culture”.

Using the ecological frame, we can see that different selection pressures operate in different business environments, and that identity memes evolve over time in response. Examples include fraud, privacy, convenience, accessibility, regulations (like Basel II, KYC rules, AML/CTF, HIPAA and HSPD-12), professional standards, and new business models like branchless banking and associated Electronic Verification of Identity. This thinking leads to a more generous understanding of identity silos as ecological niches in different ecosystems, like banking, retail, government, healthcare, education and the professions.