Identity Evolves [AusCERT Conference Presentation Abstract]

This is the abstract for my paper that has been accepted in the main program at the AusCERT 2011 Conference.

AusCERT2011 | “Overexposed” | 15th-20th May 2011
Royal Pines Resort | Gold Coast, Australia

Why does digital identity turn out to be such a hard problem? People are social animals with deep seated intuitions and conventions around identity, but exercising our identities online has been hugely problematic.

In response to cyber fraud and the password plague, there has been a near universal acceptance of the idea of Federated Identity. All federated identity models start with the intuitively appealing premise that if an individual has already been identified by one service provider, then that identification should be made available to other services, to save time, streamline registration, reduce costs, and open up new business channels. It’s a potent mix of supposed benefits, and yet strangely unachievable. True, we can now enjoy the convenience of logging onto multiple blogs and social networks with an OpenID or an unverified Twitter account. But higher risk services like banking, e-health and e-government have steadfastly resisted federation, maintaining their own identifiers and sovereign registration processes.

This paper shows that Federated Identity is in fact a radical and deeply problematic departure from the way we do business. It complicates long standing business arrangements and exposes customers and service providers alike to brand new risks which existing contracts are unable to deal with. Federated identity naively fails to understand that identities are proxies for relationships we have in different contexts. Business relationships don’t easily “interoperate”. They can’t be arbitrarily tweaked to suit different contexts, because each relationship has evolved to fit a particular niche. While the term identity “ecosystem” is fashionable, genuine ecological thinking has been lacking. The alternative presented here is to faithfully conserve business contexts and replicate existing trusted identities when we go from real world to digital, without massively re-engineering proven business rules and risk management strategies.

The past decade is littered with earnest identity initiatives that failed to get off the ground (including at least three in Australia alone) and security industry consortia that over-promised and under-delivered. We’ve endured endless deconstructions of “trust” and theoretical dissertations on “identity” but none of this work has led to the sort of breakthrough that’s desperately needed. Online identity fraud continues to grow. The direct cost is hundreds of billions of dollars globally; the indirect cost includes a malaise inhibiting such truly transformative initiatives as e-health.

In spite of its conspicuous failures and the revolving door of technical working groups, Federated Identity has become an orthodoxy. The US federal government’s proposed National Strategy for Trust Identities in Cyberspace (NSTIC) takes federation as a given. Its central tenets such as the pigeonholing of identification risk into four generic “trust levels” have been standardised in SAML and productised, but not yet realised.

If we take a closer look, we can see that nothing like Federated Identity has ever been done before. The proposition that banks, telcos, universities and governments should act in the open as “Identity Providers” is not something these institutions have contemplated outside their own closed business contexts.

Most federation initiatives hold out self-evidently noble objectives like “interoperability”, “openness” and the eradication of “silos”. Yet these feel-good words don’t stand up to scrutiny. Federation implies widespread changes to business rules and risk management arrangements, which lawyers and legislators have yet to come to grips with. Consider that banks have long established (and highly regulated) protocols for identifying customers. Introducing new third party identity providers and new enrolment pathways is a true paradigm shift, demanding untold revision of conventions, contracts and legislation.

The benefits of decentralisation claimed of Federated Identity are largely illusory. It is good for privacy and security that federation generally deprecates any one master ID, but it introduces legally novel intermediaries and new aggregations of personal information. For instance, in order to provide for “verified anonymity”, Federated Identity has customers enrol with brand new Identity Providers, handing over bulk personal information to them, only so that it may be withheld from service providers.

It is often said that identity management is “not a technology issue”. The statement is both right and wrong. The biggest challenges in federated identity are certainly not technological; rather, they relate to risk allocation in an unprecedented joined-up matrix which changes the legal fundamentals of how we do business. On the other hand, the pressing problems of ID theft and fraud really are technologically straightforward.

We all agree that identities are context dependent; the deeper truth is that identities are proxies for complex relationships that have evolved to fit distinct niches in the identity ecosystem. As with real life ecology, characteristics that bestow fitness in one niche can work against the organism in another. Thus the derided identity “silos” are a natural and inevitable consequence of how business rules are matched to particular contexts.

We need to avoid complicated generalisations about identity, and instead focus on simplifying assumptions. The password plague is only a problem because traditional access control was devised for technicians; consumer authentication simply needs better human-machine interfaces.

The real problem lies not in existing identity issuance processes; it’s to do with the way perfectly good identities once issued are taken ‘naked’ online where they’re vulnerable to takeover and counterfeiting. If we focussed on conserving context and replicating existing real world identities in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of re-engineering proven business arrangements.