Digital ID World Fall 2005
By John Latta, WAVE
November 9 - 10, 2005
DigitalID World is focused on the financial sector and
thus a much smaller conference (200 vs. 800) than the broad event in
the spring in San Francisco. The conference organizers have partnered
with IDG to run future conferences but it did not happen in time for
this event. The intent going forward is to have broad based conferences
on each coast with the spring conference on the West coast and the fall
conference on the East coast. This remains a unique conference focusing
on the broad issues of how to add an identity layer to networking. As
a result it covers a broad range of topics, mostly in the enterprise
Microsoft Discusses InfoCard
Building on the concepts articulated by Kim Cameron at
Digital ID World in San Francisco, Mike Jones, Director of Connected
Systems Evangelism, Microsoft, outlined InfoCard and Strong Authentication.
Key points he made included:
The Internet is missing an identity layer and there are
no easy solutions.
Digital Identity is about claims. These claims are represented
by a drivers license, credit cards and even business cards. These claims
are the basis on which all modern access technology is based.
We need a level of abstraction above identity to make
it practical. Microsoft calls this the Identity Metasystem. The players
in this Metasystem are Relying Parties, Identity Partners (in some
cases the individual), and the Subjects who are the individuals.
The Metasystem Architecture uses a WS-Trust and WS-MetadataExchange
layer between the subject and the ID Provider and Relying Party
A mockup demonstration was given using Flash technology
to show how an individual is in control of the access to web sites
where identity is to be passed. This allows both verification of the
site authentication and the information to be passed to it.
It was stated that InfoCard is a simple user abstraction
for digital identity and based on the metaphor of physical cards. This
will be shipping with Windows Vista and available for Windows XP and
The complexities of Identity Management
Biometrics fits into Identity Management as one factor
in multifactor authentication. This typically happens in the case of “strong
authentication.” But Identity Management covers many areas of enterprise
IT. Some discussed include:
Single Signon (SSO)
Roles Based Access (RBA)
Privacy and Regulatory Compliance
Employee Provisioning and Exit
Internal IT Call Services
There is a large burden of regulatory privacy compliance
in the US and Europe. Some of the US mandates include:
Foreign Corrupt Practices Act
Homeland Security Act
California SB 1386
Thus, in the whole context of enterprise identity management
issues, biometrics is but one small element. Further, identity management
is increasingly becoming a major IT activity because the scope encompasses
many high priority IT areas, as outlined above.
Panel on Strong Authentication
The panel on Strong Authentication was a mirror of the
status of where biometrics fits.
The only panel participant that has implemented a biometric
factor is United Bankers’s Bank. This company presented its case
study at the Biometrics Summit in February 2005. Its fingerprint biometric
technology goes to 2500 bank customers – mostly retail banks
and not end-customers. In response to Questions, here are some issues
they have found:
Fingerprints change with age.
Some individuals do not have fingerprints – especially
those who have come in contact with chemicals, such as farmers.
Only one customer refused to participate in the required
use of biometrics.
eTrade and eBay are planning to go to strong authentication
but it was indicated that this would be optional. The intent is to
offer this to high use customers. However, biometrics is not a part
of this plan but an OTP which augments an existing password already
in use by both merchants. This will use either RSA or VeriSign. The
additional information for the OTP will be appended to a regular password.
It will appear to come from eBay but actually one of the two companies
will supply this. The branding of this solution was felt to be important
to many companies.
In response to a question from the audience, it was indicated
that biometrics just does not provide the necessary FAR and FRR performance.
Further, it is expected that some individuals will not agree to use
biometrics, as a result of the negative impression of fingerprints,
for example. However, this was not confirmed with any data.
It was clear that the tokens are viewed as the best current
technology solution, compared to biometrics, when it comes to strong
authentication technology based on multi-factors.
Identity is a Struggle
There was not a single presentation on the second day,
only panel discussions. But the discussions continued to reiterate the
challenges which Identity Management is facing.
Panel Discussions – The Hard Road Ahead
Wachovia Bank participated in the first session in the
form of an interview. Key points include:
Identity management cannot be justified based on ROI.
The only compelling proposition related to Identity Management is password
reset automation. Once this has been addressed, it is difficult to
make a case for the broader functions of identity management.
Yet, the next major driver for identity management is
regulatory compliance. This is not an ROI issue but a mandate and thus
outside of the bounds of what must be justified with an ROI.
Security has been painted in many ways. It is the ugly
bear of the banking/financial business. Most IT security issues are
after the fact – security weights in when something has happened.
At Wachovia Bank we have changed our focus. Instead of security, we
consider issues based on risk. That is, how is risk managed? Risk assessment
and management is at the manager level. That individual must sign off
on risk and accept the management of risk. This has important organizational
implications. When incidents happen, one does not just call in security
but looks to the management of risk and what happened when risk mitigation
did not work.
One of the problems of SOX compliance is that it results
in large access lists – who accessed what applications when.
The audit of these lists is a data mining problem. In the banking industry,
auditors want to see these lists and know the bank is in compliance.
One strategy in implementing an Identity Management architecture is
to make the collection, analysis and mining of the access information
an automated process.
At Wachovia we have seen the privacy and identity management
related issues reach the CEO level. This is the kind of visibly that
few CIOs want. The justification of funds to accomplish Identity Management
becomes much easier but this also raises the expectations of management.
Words we have heard include “…you have this money. I don’t
want to hear about this again.”
Federation has the potential of being a major issue.
So far our systems are within the firewall but we expect them to migrate
to our business partners and it is here that federation is critical
but we can also see this migrating to our customers.
The regulatory and legislative environment was discussed
in another panel.
It was claimed that some 300 privacy and related bills
have been proposed in the last few years. There was some skepticism
about the ability of the Congress to pass useful legislation which
addresses the issues. An example, of bad legislation is the CanSpam
Act which is ineffective.
Part of the issue is that the industry has been lax in
moving forward. eBay and Paypal are the subject of continual phishing
attacks but have done nothing to halt them. It is considered a cost
of doing business rather than a consumer protection issue. The compromises
of consumer data at ChoicePoint and others have received considerable
press and Congressional attention. It could well be that legislation
similar to California SB 1386 will be passed on the national level
but this does not address privacy management responsibilities, only
The question was asked – Is the US a leader in
privacy compromises and criminality? One response was that criminal
activity here is 3 years ahead of England. [Hardly something to be
In follow-up conversations, it is not clear that any
legislation will emerge from Congress. There are too many powerful
competing interests which are likely to dilute consumer supportive
FFIEC Authentication Guidelines
On October 12th, 2005, the Federal Financial Institutions
Examination Council issued guidelines for Authentication in an Internet
Banking Environment. This is significant because it requires two-factor
authentication. At the DigitalID World panel there was not a clear assessment
on what this means in terms of technology and implementation. This is
an area which could foster the use of more secure authentication technology
of which biometrics is one possible factor. Here is a summary of the
The agencies consider single-factor authentication, as
the only control mechanism, to be inadequate for high-risk transactions
involving access to customer information or the movement of funds to
other parties. Financial institutions offering Internet-based products
and services to their customers should use effective methods to authenticate
the identity of customers using those products and services. The authentication
techniques employed by the financial institution should be appropriate
to the risks associated with those products and services. Account fraud
and identity theft are frequently the result of single-factor (e.g.,
ID/password) authentication exploitation. Where risk assessments indicate
that the use of single-factor authentication is inadequate, financial
institutions should implement multifactor authentication, layered security,
or other controls reasonably calculated to mitigate those risks.