Federated Identity and before that, Single Sign On (SSO), are responses to the password plague. The cost of managing multiple passwords and multiple identities rises as they proliferate. The total cost of identity management encompasses the time and personal burden of keeping track of them all, the resources wasted on password resets and similar administrative overheads, and the extra effort needed to enrol afresh for each new identity.
I don’t know if there are formal studies of Total Cost of Ownership (TCO) in Identity Management, but people figure intuitively that it goes like this:
It seems reasonable. The more ids, the more the hassle and effort, and the higher the cost.
Yet can we assume that the reverse applies? If we reduce the number of ids, will the TCO fall? It depends how far down we want to go. The implicit assumption in SSO is that the total cost of having just one identity will be minimum. But SSO turned out to be easier said than done; the initials have come to mean “Simplifed” Sign On. So what’s going on here?
My experience of federated identity is that there are major legal complexities and costs that are often unanticipated when framing these initiatives. In particular, when a service provider like a bank or government agency wants to authenticate its customers through a third party identity, there are significant new overheads. The service provider’s risk assessment needs to be reviewed, and quite often, negotiations will be entered into with the new identity providers (or applicable authentication brokers). By the same token (pun intended) if an identity issuer like a bank is going to allow their customers to re-use those identities for additional services, then there will need to be new contracts and Ts&Cs drawn up.
The more powerful the federated identies, the more complex will be the new arrangements.
Therefore the TCO of a set of identities will at some point start to increase as the size of the set drops. Nobody as yet has got close to a single identity. Big PKI failed in that ambition. Even in the reasonably closed banking environment, attempts to federate a single identity, like the Australian Trust Centre and “MAMBO” initiatives failed to get off the ground, partly because of unresolved contractual complexities. These snags point to higher costs, not lower.
So it must be the case that the relationship between TCO and the number of discrete identities anyone has is bowl shaped, as below. The cost of a single identity is incalculable, and might literally be infinite (i.e. the single ID is unattainable) since the fine print associated with any ‘master ID’ will mean that it cannot in fact meet the needs of all Relying Parties.
An interesting research question is: what is the value of the ‘ideal’ number of identities where TCO is at a minimum? An empirical ballpark estimate is 10-15, based simply on the number of identities most us currently carry in our purses and wallets. We can think about this magic number ecologically. If the current business ecosystem has settled on a dozen or so discrete identities (bank accounts, credit cards, a driver licence, a public health insurance card, a private health insurance card, an employee ID, a passport) then the cost of consolidating them is probably higher than the cost of leaving them alone, otherwise we would have seen natural federation already.