Tuesday Oct 06, 2009

Identity Trend 4: Identity Assurance

imageThis post is the fourth in a series of eleven posts I am writing about important trends in the Identity Management industry.

When you present identity credentials to log into an enterprise system or online Internet site, are you really whom you claim to be?  Do your credentials represent the “real you?”

I published one of my favorite blog posts, entitled “OpenID Credibility: Harry and Bess Truman,” back in June, 2007.  A brief excerpt:

I visited MyOpenID.com and was issued an identifier for Harry Truman: http://harrytruman.openid.com. No validation, no verification of Harry's real Identity. I just plugged in President Harry Truman's birthday and home town. I did use my own personal email address, but it wasn't even validated at the time.

Armed with my new bogus identifier, I marched over to Jyte.com and made a couple of claims: The Buck Stops Here and I Love Bess.

Interestingly enough, the Jyte.com links still work!

This little exercise, where I wasn’t really THE Harry Truman, illustrates the need for Identity Assurance to validate whether my identity credentials really represents who I really am. Identity Assurance can be described as “a means to allow Identity Providers (IdPs), Relying Parties (RPs) and subscribers to determine the degree of certainty that the identity of an entity presenting an electronic identity credential is truly represented by the presented credential.”

With the continual expansion of online fraud and other threats to online security and privacy, the need for Identity Assurance methods are rising.  Being able to certify the that the correct Identity credentials are issue to the correct user before access is attempted is an increasingly critical issue.

The Liberty Alliance Identity Assurance Framework defines four progressive levels of assurance, depending on confidence in the asserted identity's validity, as shown in the following table from the Liberty Identity Assurance Framework document.


By comparing the assurance level against the potential impact of authentication errors, we get a clear picture of how the wide spectrum of online access transactions require substantially different levels of Identity assurance.


My impersonating the late Harry Truman requires minimal assurance because the potential impact for the transactions I conducted is minor.  However, at the other end of the spectrum, identity credentials used to conduct high value financial transactions protected by civil or criminal statute are probably worthy of far more stringent Identity Assurance screening.

So, who is responsible to issue high level credentials?  Should it be the government, who is responsible for issuing validated credentials like birth certificates, passports and drivers licenses?  Should it be private enterprise?   It depends on the two factors illustrated above: Assurance Level and Potential Impact.


Consider these questions for your specific cases:

  1. What level of assurance do you require to match the risk (potential impact) to the cost and complexity of issuing identity credentials?
  2. What different levels may be appropriate for different applications or systems for which you are responsible?
  3. What sources of validation are appropriate to assure that the identity credentials you issue are valid?
  4. What should the role of government or private enterprise have in Identity assurance?

By the way, I still think Harry and Bess look good together.  What do you think?

Friday May 08, 2009

Weaving OpenID into the Browser

A few minutes ago, a tweet by @sofiaviolet  led me to an interesting blog post by Scott Gilbertson.  Scott discussed an experimental Firefox plugin from the folks at Mozilla Labs that uses the Mozilla Weave service to enable automatic website login using either username/password or OpenID.  A short video by Labs developer Dan Mills shows how easily it works.

I still have several questions about security, but this certainly begins to address the ease of use issues I mentioned in my earlier post about Identity in the Browser (IDIB).

Technorati Tags: , , , , ,

Monday Oct 15, 2007


ClaimID is a great little web site that gives me a spot to lay claim to various bits of presence and relationships I have established in cyberspace - all facets of my online Identity.

Technorati Tags: , , ,


Discovering Identity was founded on blogs.sun.com in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at DiscoveringIdentity.com. In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« June 2016