Digital ID World
By John Latta, WAVE
San Francisco, CA
May 10 - 12, 2005
There are 600+ here at this unique conference. This is
the 4th event and the market forces of compliance, criminal activity
on the net and consumer concerns are bringing identity management to
the forefront. It is a well run event with a trade show floor in the
center of the atrium of the Hyatt Regency in San Francisco. Our focus
is to understand the role that biometrics may play but it is clear that
a much larger forces are shaping the identity market dynamics. Having
been to five biometrics conferences, this is a cold shower of a totally
different aspect of the need for security. Identity management, in many
respects, is at the center of logical access. Thus, we are seeing the
very early development of the logical access market. As in biometrics,
this market is chaotic and shaped by impulse forces. Here it is clear
this centers on compliance of Sarbanes-Oxley (SOX). As one booth conversation
netted – the enterprise sector having just completed the first
round of compliance with SOX businesses are anxious to get compliance
under control and identity management is a critical factor.
Driving Identity Management with its use in Compliance
Phil Becker, Editor-in-Chief of Digital ID World gave a
very insightful kick off presentation. It focused on the role that compliance
is playing in fostering the development of the identity management market
but there was much more to the talk.
One of the problems with computing today can be traced
to its roots. In the early days of computers, physical access was a
proxy for identity. That is, there was no need to tie identity on the
computer because the physical access assured that no one could get
to a computer unless they passed the physical controls. As a result,
boot and sign on were trivial by any individual in the computer room.
This was called the location paradigm and Phil maintains
that it still exists today. That is, location is a proxy for identity.
The problem is that in a networked environment where
anyone can be anywhere, the location paradigm does not exist anymore.
As a result, firewalls and other devices seek to protect the network
by putting up barriers. This has resulted in a network siege mentality.
Phil cited that “once a computer is connected to a network no
physical computer remains fully under your control.”
Phil maintains that identity is the organizing construct
for networks. Once identity is established, it is possible for autonomous
agents to identify each other, organize interactions, pass certificates
of authority and to be held accountable irrespective of location.
Many of the problems we face today are a result of the
design of networks. He used the OSI model to show how networks are
designed around communications. What is missing is an identity layer.
Without this, there has been a passing of the buck of identity. That
is, identity is integrated into many of the layers, such as in applications
and logons that are independent identity silos. The lack of identity
is compromising the network.
Experience has shown that major computing developments
take 10 years. The Internet took 10 years to mature. We are now in
the second phase with web services and, as he described it, the tools
and means to more effective use network computing is getting there.
But the next wave will come with identity on the network and this has
barely begun. If history is a guide, a 10 year quest lies ahead.
He called compliance a universal application on the
network because it is a natural extension of doing business on the
network. It is just like accounting and will be a cost of doing business.
What is critical is that compliance must be automated in order to bring
down the cost.
Authentication is the foundation of identity based computing
techniques. Provisioning is the foundation of compliance automation.
Identity Theft is a BIG Problem
Nicco Poppo, CTO and VP, VeriSign presented his views on
a layered approach to protecting consumer identities.
In 2004 the FTC cited that consumer identity theft was
The bad guys are going digital – 57% of all fraud
complaints are Internet related.
March 2005 was a bad time. There was ChoicePoint, Lexus/Nexus
and more. The loss of identity hit the radar screens of the public
and legislators. It is likely that we will see a legislative response.
There are 18 federal and 30 state cybersecurity bills pending.
The Internet only compounds the issues around identity
theft. It makes it possible for criminal activity because it is low
cost, criminals can be anonymous and effective and it is scalable.
For example, phishing is 6% effective, an unheard of rate for any fraud.
The result is that the Internet has become an organized crime network.
Consumers are also very concerned. 60% of online consumers
are “extremely concerned” about security when banking online.
Another view can be taken – security can be a
market advantage. Trust is a competitive advantage. Trust is “sticky.” New
services can be offered which are based on stronger IDs and these can
offer higher value transactional services.
Paulo de Almeida was cited as an example of how effective
the criminals have become. An article from The ChannelRegister is at
the end of this report.
Nicco Poppo concluded that only a layer defense that
includes the Users, Desktop, Web Site and the Corporation will mitigate
these multi-faceted attacks.
The 7 Laws of Identity
Kim Cameron of Microsoft gave an impassioned plea that
we need to establish a framework to deal with the identity problems on
the Internet. He has engaged many in the development of these “laws” with
the blogsphere being a tool to form the dialog. At times the discussion
was obtuse but semantic debate is a part of the process of dialog.
The problem is that the Internet was built without a
way to know who and what you are being connected to. The result is
that there is a patchwork quilt of identity one-offs. Consistent with
the observations of Phil, the Internet is “Missing the identity
layer.” This creates a world without digital identity synergy.
The Internet has attracted international criminals.
Phishing and pharming is growing at 1000% CAGR.
The criminalization of the Internet has the potential
of halting web services before they leave the starting gate. The problem
is that the ad hoc nature of Internet identity cannot withstand the
growing assault of professional attackers. Kim predicted a deepening
public crisis on the role and use of the Internet.
What is required is to go from a patchwork to an identity
fabric. He has come to the conclusion that no simplistic solution is
realistic. As a result, based on much dialog, Kim has developed these “laws.”
1 – User Control and Consent
Digital identity systems must only reveal information
identifying a user with the user’s consent.
2 – Minimal Disclosure for Limited Use
The solution that discloses the least identifying
information and best limits its use is the most stable long term
3 – Justifiable Parties
Digital identity systems must limit disclosure of
identifying information to parties having a necessary and justifiable
place in a given identity relationship.
4 – Directed Identity
A universal identity metasystem must support both “omni-directional” identifiers
for public entities and “unidirectional” identifiers
for private entities.
5 – Pluralism of Operators and Technologies
A unifying identity metasystem must channel and
enable the inter-working of multiple identity technologies run
by multiple identity providers.
6 – Human Integration
A unifying identity metasystem must define the human
user to be a component integrated through protected and unambiguous
7 – Consistent Experience Across Contexts
A unifying identity metasystem must provide a simple
consistent experience while enabling separation of contexts through
lultiple operators and technologies.
The WAVE asked the question – how does this stop
the criminals? The practical answer is that only when the Internet adopts
much of these principles and the criminals stand out when they do not.
Slight problem – is it possible to wait that long before the Internet
The BIG Picture
Jamie Lewis, CEO & Research Chair, Burton Group, gave
the keynote on the second day. He put into context Identity Management.
Digital ID is becoming a mainstream issue. This is being
driven by the reality that business is moving onto the network. Identity
management is a core enabling infrastructure. This will evolve both
within and between enterprises on a Service Oriented Architectures
(SOA) that has identity management. This will combine with other infrastructure
services to create interoperable fabric which will support a new generation
of application services.
At the same time there is increasing interest in “user-centric” identity
management. This will enable a more reliable, usable and secure web.
It is essential that identity management be a part of a common infrastructure
within and between communities. But making identity such a core component
is at its early stages. There are many who would detract from this.
Today regulatory issues drive identity management. Provisioning
plays a major role. The reality is that the more software a company
has, the more it has to certify. But identity management products are
weak on role and policy discovery. We need standardized provisioning
Today the network and security infrastructure is becoming
We are seeing signs the federated sign-on is viable.
That is, identity which supports sign-ons amongst affiliates and between
loosely coupled domains within enterprises. We see that, through standards,
coexistence is possible in the near term but that convergence to this
goal will happen in the longer term.
The problem today is that there are too many custom
identity management integration projects. It is not a turn key solution.
Major issues lie in interoperability, assurance and trust.
Another issue is that identity management audit remains
a complex problem. Further privacy issues both drive and inhibit identity
management. We see that the regulatory environment demands action,
both national and international.
What has happened over the last several years is that
many of the small companies have been acquired by larger ones. This
has resulted in suites of identity management products but these are
loosely integrated. They do not have common workflow, connectors, administration
and audit. The result is that applying identity management results
in lots of customization. This will improve in the next 12 – 18
It will be essential that the providers move from product
suites to a platform. Security and identity management will join. What
will happen is that this platform will be a part of the SOA bus which
connects various application services. This reinforces the need for
a standards based federated communications infrastructure. Under this
is the ability for application services to interact securely. We feel
that it will take at least 5 years for this to emerge.
On the user-centric side – that is, consumers – we
are seeing the emergence of a virtual society in virtual places. Individuals
are buying, socializing and living online. At the same time invasive
technologies are increasing in equal measure. An underlying issue is
that the technical skills required are far too high.
It is important to give individuals assertive control
over identity information in commercial, social and other contexts.
This can be thought of as “federating” the individual.
We cannot lose sight of the fact that identity is highly
contextual. It is like all social interaction. Who we choose to be,
what we share will be depend on the context. We will have many different
credentials, identifiers for different needs. Ad hoc groups, formal
communities, social structures and businesses will implement and manage
identity in a fashion that suits their needs. For example, identity
systems that work for a financial services company will not work for
social software and vice versa. The bottom line is that we are talking
about representing human behavior not machine behavior.
Federation is important because it allows for organic
growth in self-organizing systems. Identity connections will not form
because of some master directory but because individuals, groups, organizations
and companies will need those connections. These federated connections
will emerge on an as-needed basis.
What is needed is agreement on laws and principles.
The internet community needs to solve this problem. The laws presented
by Kim Cameron of Microsoft is a beginning and this is unorthodox for
Microsoft to be so open about an issue. We also need open standards,
protocols and frameworks. Then it will take time for technologies and
implementations to propagate.
Taming the Beast
One of the points made by Jamie Lewis, CEO & Research
Chair, Burton Group is that identity management requires highly customized
efforts to integrate into an enterprise. This was reinforced in presentations
by Sun Trust Banks, Sony Media and GM. We saw the following threads.
Each company has many heterogeneous systems which must
interoperate. It was not uncommon to hear the term - ”We have
at least one of everything.”
These systems impose an enormous burden on the users
and one of the most frequently cited are multiple passwords. Every
presenter listed password resents over help lines as a measure of the
burden and overhead cost.
But the nature of organizations, especially virtual
organizations, that cross into vendors and contract individuals, drives
issues such as provisioning. Cited multiple times is the need for automated
provisioning which entails many functions in the organization including
Federation is essential as the identity management system
extends across many organizations or even within an organization that
has independent operations.
A common identifier for individuals, especially the
SSN, can no longer be used, except for financial reporting.
In the financial sector, compliance is critical but
this is now extending to all businesses which are listed due to SOX.
Compliance and identity management go hand in hand.
Role definition is very important to establish access
rights. Some did this manually but others are able to be automated
after some effort.
The functions within identity management include:
These companies would have multiple identity management
software components to accomplish these and they would have to be customized
for their needs. No suite exists.
It should be noted that biometrics applies to only the
Where Does Biometrics Fit When there is Strong Authentication?
A panel on The Great Authentication Debate captured many
of the issues which help define the role of biometrics. We summarize
this along with many assessment points.
Strong authentication is the use of a token, a small
device carried by the individual. This device frequently has an LCD
panel which generates a random number, sometimes a frequently as every
This number along with a PIN which is appended to it,
then creates a larger number, is a one time password (OTP) to a system.
Software running on a server then matches this key to a crypto algorithm
to determine if there is a match. If so entry is granted on a one time
basis. The next attempt needs a new password which follows the same
RSA is a leading provider but many in the industry do
not like the fact that the implementation is proprietary. OATH published
a framework during the conference which seeks to make this open.
One of the problems with the OTP systems is that there
is no interoperability between applications. That is, a person must
carry a token for each application they desire to access. OATH seeks
to correct this also.
Today, these tokens are in the enterprise and many want
to enter the mass market with millions of tokens. ActivCard was showing
a consumer token and RSA has announced that they have a deal with AOL
Rather than hardware tokens, it was suggested that software
tokens could serve the same role.
These OPT solutions only work where there is mutual
authentication. It does nothing against the bad guy seeking to misrepresent
another party and no mutual OTP is present.
Biometrics has a role but it is not fully defined.
The strength of Strong Authentication is very high,
practically zero, FAR and FRR. There are no enrollment issues. But
the value is based on remembering the PIN and carrying the token. This
latter has drawback of the cost of the token and the need for multiple
While biometrics is intrinsic with the individual it
also allows the individual to remember nothing. Mutual authentication,
however, is only possible in biometrics when the opposite party has
the biometric or some form of it, such as a template or image. This
has privacy implications which the token does not. A major drawback
of biometrics is its poor “quality” – the FAR and
FRR is much too high. Multifactor biometrics, even the combination
with tokens or other forms of security, can significantly raise the
It was stated that biometrics has the advantage of adding
an additional layer of security. Yet, this misses the point. Only biometrics
tries the individual to the authentication in a way that is not related
RSA stated that a corporate token costs $80 - $120.
It is their intent to drive the consumer version to <$20. We find
it hard to believe this is sufficient. For example, of one looks at
the frequently phished sites such as eBay and PayPal it is not hard
to envision many tokens to be carried. Further, the consumer will tire
of the burden of this – it is just not convenient enough. Yet,
biometrics is held by the individual and one reader token, if a reader
is on a smart card for example, might be adequate. If the “quality” limitations
of biometrics are either overcome or accepted, biometrics has the potential
of offering a much lower cost solution.
If one assumes that price gives biometrics a market
advantage a market position can be gained by:
Being a leader in the commodization of biometric Readers;
Advocating open standards for biometric information and its matching; and
Making biometric reading portable – anytime anywhere.
There is an interesting aspect of privacy if one should
assume wide spread adoption of biometrics for authentication. It is
critical to protect the biometric in the same way that cryptographic
means are protected. If the bad guys get the biometric they are able
to represent a trusted source, such as PayPal, and falsely seek the
individual out, with phishing, and “validate” and authenticate
the user. Under these conditions we are no better off than today. Multifactor
biometrics are one way to minimize the potential for such attacks as
long as both biometrics are protected.
It is important to recognize that OTP is just like physical
access. It is an entrance to the system. If keystrokes are being monitored,
yes, replicating those keystrokes will not allow for a bad guy to get
in the next time. But that also misses the point. If one has important
information such as credit card numbers, the image of a web page or the
pattern of usage of the sensitive corporate application this may be all
that is needed by a criminal. That is, if a Trojan has been planted on
the machine having strong authentication is almost irrelevant. Granted
such considerations are much more important to a consumer than a robust
enterprise network infrastructure one cannot dismiss the reality that
access controls alone may be insufficient to address the criminalization
We come back to Taming the Beast discussed above. This
is not just a network security issue. It is also not just an identity
management issue. It is also not narrowly confined to a privacy issue.
It is all of these things.
John Shewchuk, CTO Distributed Systems, Microsoft teamed
with Kim Cameron to show how the 7 laws of identity could help provide
a foundation for an identity metasystem. The analogy was used that in
the early days of the PC writing directly to a disk drive or a display
severely limited software development. With drivers and a file system
a level of abstraction was introduced that changed application development.
That same approach is required for identity management. As a lead in,
past lessons also provided a frame work for the metasystem.
Single technology, single provider solutions are not
Single technologies with multiple providers have not
been universally deployed; and
Multiple providers with multiple technologies has meant
very little interoperability.
A metasystem provides a way that users can manage identity
in a heterogeneous world. This is because if the metasystem is carefully
developed it is possible to unify:
Multiple identity technologies;
Multiple operators; and
This can then allow:
Customer freedom with technology such as x509, Kereos,
SAML along with provider choice such as Self issued, private or government,
Customers can also look forward to new systems such
The essence of the metasystem are these components.
Claims Transformation and
The audience responded positively to the concept of claims
transformation that allows for a trusted way to change one set of claims
regardless of token format into another.
Microsoft has been working with many in the industry to
develop an architecture for an identity metasystem – WS-*. It has
the following components.
Composable Architecture for Web Services
Security Token format neutral which has as its basis
Dynamic system for exchanging claims which uses WS-MetadataExchange
Token and claim translation which uses WS-Trust and
this defines STS (Security Token Services)
Microsoft then demonstrated its implementation of the identity
Runtime for building distributed applications supporting
an identity metasystem.
Identity selector for Windows which safeguards user’s
Which is the infrastructure for identity and access.
An example was given of code development to allow individuals
outside of the directory to be included based on trust established by
the outside organization – federated login.
During the question session is was clear that many in the
audience were impressed by the progress made. Another aspect is that
the development of 7 Laws of Identity by Kim Cameron was called unorthodox
for Microsoft. That is, using Kim’s blog and working in the blogsphere,
Microsoft was unusually receptive to outside participation. This was
reinforced in John’s presentation when he said that an identity
metasystem must operate in a heterogeneous world. A point that was reinforced
in the case studies presented during the conference. The conference showed
how there is a need for a unifying architecture and design which accelerates
the maturation of identity management. Microsoft demonstrated how its
work, especially in conjunction with many others, had made significant
progress in moving the technology of identity management forward.