No easy fix for federated identity liability

One of the many open questions in the proposed National Strategy for Trusted Identities in Cyberspace (NSTIC) is whether government will need to step in and legislate around liability allocation. Like federated identity itself, this is easier said than done.

The NSTIC discussion paper states:

  • This Strategy defines an Identity Ecosystem where one entity vets and establishes identities and another entity accepts them. To date, the appropriate apportionment of liability has prevented the cross-sector issuance and acceptance of identity credentials. The Federal Government must address this barrier through liability reform in order to establish the multi-directional trust required by transaction participants (p28).

It is true that liability allocation has impeded federation but I don’t think we’ve collectively thought deeply enough about why this is the case. Legislators won’t find a quick way to “reform” liability as called for by the NSTIC paper.

The identity ecosystem paradigm (yes, paradigm) is premised on the intuition that when Alice has gone to all the trouble of establishing her identity with a bank or government agency or e-store, she should be able to leverage that identity so that other service providers can strike up a fresh relationship with her. But in practice, this dream is impossible to achieve without all sorts of constraints.

All identity practitioners agree on the truism that identity is context dependent. But have we underestimated just how context-dependent identities are? Have we been too optimistic in our ability to engineer the changes of context that are implicit in federated identity?

The trouble is that what we think of as Alice’s “identity” is really a proxy or shorthand for a specific relationship that she has with a particular provider. The rules by which she is conventionally identified vary from one provider to another, because each has its own business needs. Establishing a common set of rules is one of the insurmountable challenges in federated identity. Firstly, it is logically impossible to set rules for unforseen applications and Relying Parties. So federated identities come with fine print that constrain what applications a user is allowed to use their identity in (it’s a lot like Big PKI all over again). This not only limits what we hoped would be universal identities, but it leads to a bigger practical problem. Once we agree on a set of uniform identification rules, sufficient for at least a nice big set of applications, it turns out that none of the existing Identity Providers (the oft cited candidates for which are banks, governments, telcos and social IdPs) will actually be following those rules already. They will all have to modify their registration procedures to align with the federation’s rules. This is very costly; banks in particular don’t readily change their KYC rules. There is great risk as well in investing in these changes, for the business model for making money from federated identities is still unproven. And so extant digital identities are not in fact useful for very much at all beyond their original contexts. .

Another way of looking at the problem is to consider how identity providers manage their risk. Currently, banks/agencies/telcos create digital identities for their customers as part of a relationship governed by explicit Ts&Cs. For instance, banking customers are usually forbidden from using their Internet banking OTP tokens to authenticate themselves to any other services (I have seen at least one Australian federated id scheme collapse because re-writing and re-executing these agreements is too hard). The good thing about the oft-derided identity silos is that they allow issuers to manage risk by tightly defining the context in which their customers use their “identities”. When we try to break open the silos, and turn banks into general purpose Identity Providers, we compromise their ability to manage their risk. The ultimate promise of federated identity is that the customer will be able to use a bank-issued identity for instance in all manner of other applications, over which the bank has no control. This is a promise that banks are not able to keep, unless there is new legislation to address the liability. The only places where cross-sector identity federation seems to work are where specific laws have been passed to protect Identity Providers, such as in Scandinavia.

The reason why banks and other classic candidate IdPs have found federation easier said than done is that it’s fiendishly difficult to manage liability for mis-identification in unforeseen applications. As far as I am aware, when new laws have enabled cross-sector federation, it has been restricted to banking and government, and even then, with tight constraints on the types of transactions allowed. Outside these legislated conditions, RPs are left to their own devices to manage authentication risks, and siloed identity relationships persist, as a natural consequence.