By identity on Oct 06, 2009
This post is the fourth in a series of eleven posts I am writing about important trends in the Identity Management industry.
When you present identity credentials to log into an enterprise system or online Internet site, are you really whom you claim to be? Do your credentials represent the “real you?”
I published one of my favorite blog posts, entitled “OpenID Credibility: Harry and Bess Truman,” back in June, 2007. A brief excerpt:
I visited MyOpenID.com and was issued an identifier for Harry Truman: http://harrytruman.openid.com. No validation, no verification of Harry's real Identity. I just plugged in President Harry Truman's birthday and home town. I did use my own personal email address, but it wasn't even validated at the time.
Interestingly enough, the Jyte.com links still work!
This little exercise, where I wasn’t really THE Harry Truman, illustrates the need for Identity Assurance to validate whether my identity credentials really represents who I really am. Identity Assurance can be described as “a means to allow Identity Providers (IdPs), Relying Parties (RPs) and subscribers to determine the degree of certainty that the identity of an entity presenting an electronic identity credential is truly represented by the presented credential.”
With the continual expansion of online fraud and other threats to online security and privacy, the need for Identity Assurance methods are rising. Being able to certify the that the correct Identity credentials are issue to the correct user before access is attempted is an increasingly critical issue.
The Liberty Alliance Identity Assurance Framework defines four progressive levels of assurance, depending on confidence in the asserted identity's validity, as shown in the following table from the Liberty Identity Assurance Framework document.
By comparing the assurance level against the potential impact of authentication errors, we get a clear picture of how the wide spectrum of online access transactions require substantially different levels of Identity assurance.
My impersonating the late Harry Truman requires minimal assurance because the potential impact for the transactions I conducted is minor. However, at the other end of the spectrum, identity credentials used to conduct high value financial transactions protected by civil or criminal statute are probably worthy of far more stringent Identity Assurance screening.
So, who is responsible to issue high level credentials? Should it be the government, who is responsible for issuing validated credentials like birth certificates, passports and drivers licenses? Should it be private enterprise? It depends on the two factors illustrated above: Assurance Level and Potential Impact.
Consider these questions for your specific cases:
- What level of assurance do you require to match the risk (potential impact) to the cost and complexity of issuing identity credentials?
- What different levels may be appropriate for different applications or systems for which you are responsible?
- What sources of validation are appropriate to assure that the identity credentials you issue are valid?
- What should the role of government or private enterprise have in Identity assurance?
By the way, I still think Harry and Bess look good together. What do you think?