Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

The Natural Limits to Federated Identity

An updated slide deck introducing the memetics of digital identity, and showing how business system ecology puts natural limits on Federated Identity.

Abstract

Federated Identity is a response to the situation that has arisen in the digital economy where each of us operates an increasingly bewildering array of identities. Elaborate identity management frameworks are being developed to streamline the user experience, lubricate the way businesses and users connect, and - hopefully - save cost.

Federated Identity has proven to be easier said than done. This slide deck summarises my new ecological frame for understanding the problem and clarifying the way forward. Existing real world business ecosystems have shaped the identities we have today, and places natural limits on how they may be artificially federated.

The great variety of identities in and of itself suggests an ecological sort of explanation. As with natural speciation, different digital identities have probably evolved in response to different environmental pressures.

Each digital identity can be unpacked into discrete traits. Examples include security technique, registration process, identification requirements, user interface, algorithms, key lengths, liability arrangements and so on. These traits can be seen as memes: heritable units of business and technological "culture" and practice. Memes like Two Factor Authentication get passed on from one generation to the next. And they can jump ecosystems; retail banking got the idea of 2FA from enterprise security. Other memes correspond to standards, like hash algorithms. In government, SHA-1 was recently superseded by SHA-256, but that new meme is slower to take hold in commercial markets because of different environmental conditions, like legacy system interoperability.

[Many readers will know that the field of memetics did not develop as its proponents had expected, and has been vigorously criticised. Some say memetics is dead. I acknowledge that debate, but I cite the work of Lord & Price (2001) which even critics say was sound. In particular, Lord & Price used software to perform similarity analysis on memes they identified in institutional structures and thereby managed to recreate a reasonably family tree plotting the evolution of those traits. This sort of work could be usefully repeated for authentication practices.

Ref: Lord, A. and Price, I (2001) Reconstruction of organisational phylogeny from memetic similarity analysis: Proof of feasibility.]

Using the ecological frame, we can see that different selection pressures operate in different business environments, and that identity memes evolve over time in response. Examples include fraud trends and modalities, privacy, convenience, accessibility, regulations (like Basel II, banking KYC rules, anti-money laundering identification, HIPAA, and HSPD-12), professional standards, and disruptive new business models like branchless banking and associated Electronic Verification of Identity.

This ecological mindset could lead to a more generous understanding of the dreaded identity silos as being ecological niches in different ecosystems, like banking, retail, government, healthcare, education and so on.

We might now usefully temper some of the grander expectations of the new identity frameworks. We should probably be more sceptical about the prospects of taking an identity like a student card out of its original context and using it in another such as banking, for it’s a lot like taking a saltwater fish and dropping it into a fresh water tank.