All posts by andrew

Meeting an Immovable Object The Economics of Consumer Identity Providers

Uncle_Sam_(pointing_finger)
Your Government Needs Your Consumer Identity Provider

In many parts of the world, Governments have been trying to engage industry IDPs to provide consumer identities to support government & citizen service requirements. In cases such as the US FICAM these results have at best been marginal. [1]

The fundamental reason for lack of commercial IDP engagement is that the government requirements for high assurance credentials[2] leads to expensive identities that are not required for most commercial or enterprise usage. It is not economically interesting to IDPs to invest in creating identities that are designed for unique government requirements.

The motivations for wishing to engage commercial IDPs are essentially sound…

Large scale Consumer Identity Providers have hundreds of millions of consumers that use services that in turn trust the IDP. Consumers IDPs address many issues with friction and the user experience pain associate with occasional usage; large IDPs generally have a significant investment in professional organizations to handle the authentication, identity management, account recovery and risk analysis that cannot be matched by most service providers, including governments. While they are far from perfect IDPs represent a significant center of expertise that have demonstrated identity operation at Internet and International scale.

However, the “assurance” required for in practice for most commercial transactions barely equates to a NIST Level of Assurance (LOA) 2 Identity.

PayPal successfully utilizes its identities for financial transactions (higher assurance requirements than most commercial transactions). These identities have good identity validation[3] but in most cases are only protected by password authentication and use nothing more than session-based protections[4]. The assurance level model hides the fact that high quality identity assurance is being performed, and worse in a formal evaluation would prohibit the identities from being used for financial transactions.

This demonstrates a dilemma. The formal assurance level criteria do not seem to match real world identity usage.

The disparity between the current assurance models and actual usage poses a problem. Governments have been trying to convince commercial IDPs to jump on board and supply the identities they need. In a perfect world, the formal identity assurance specifications might be seen as an aspirational opportunity, that an enlightened world might choose to adopt.

Why would a Google, or a Facebook or a LinkedIn or a Twitter choose to add significant additional cost across hundreds of millions of users in order to meet standards such as those defined by NIST?  It takes only simple math to calculate the cost of a multi-factor authentication solution, or LOA 3 Identity when it is applied across six hundred million consumers…

Commercial IDPs are definitely interested assisting their users to utilize their identities (or at least their authentication credentials) across a broad and growing set of services. This is the basis for recent technology innovations including OpenID Connect, OAuth and Account Chooser. However, the characteristics of the identities supported by IDPs do not correspond to what governments are requiring (hoping for?).

However, vague promises of future revenue considered against a backdrop of significant government and community scrutiny and brand risk, in addition to the high costs of creating LOA 3 identities for government, the additional capabilities that have to be included and the liabilities incurred do not constitute a reasonable business opportunity.

There are ways out of this impasse. But they require different system architectures and operating principles to the ones commercial entities are being asked to comply with.

Several fundamental approaches have merit: Risk Based Identity Evaluation and Mitigation; Separation of Identity Services; Identity Assurance Enhancement (like “step up authentication”); User Pays models.

PayPal’s “low assurance” identities work . However, the characteristics of the identities supported by IDPs do not correspond to what governments are requiring (hoping for?).

However, vague promises of future revenue considered against a backdrop of significant government and community scrutiny and brand risk, in addition to the high costs of creating LOA 3 identities for government, the additional capabilities that have to be included and the liabilities incurred do not constitute a reasonable business opportunity.

There are ways out of this impasse. But they require different system architectures and operating principles to the ones commercial entities are being asked to comply with.

Several fundamental approaches have merit: Risk Based Identity Evaluation and Mitigation; Separation of Identity Services; Identity Assurance Enhancement (like “step up authentication”); User Pays models.

PayPal’s “low assurance” identities work (hundreds of millions of dollars of financial transactions are successfully executed daily) because they have implemented effective risk evaluation models and compensating controls that mitigate potential issues.  Current Identity Assurance models assume that identities can be absolutely evaluated and defined. This is clearly nonsense – all identity validation systems provide at best a confidence level (often lower than we would like to believe) on the identities that are being asserted. We need models that clearly support such approaches and recommend how to mitigate corresponding risks.

Reassessing where identity services are delivered and allowing disaggregation of existing architectures would help in several government contexts. Allowing IDPs to simply assert an authentication event and deliver a credential would eliminate the need to invest in identity validation services at the IDPs, and potentially open up new business opportunities, or at least allow the gap in existing service capabilities to be addressed.

Identity assurance enhancement assumes that consumer IDPs will provide what is commercially viable, and then some other entity must enhance them so they have characteristics in keeping with desires of the services that will use them. Enhancement may take the form of a service; it may be offered on a per relying party basis or as a central function supporting many service users[5]; it may be created by government, alternatively some commercial entity may see a business opportunity and offer it as a service to government.

The user pays model goes hand in hand with the identity assurance enhancement model. If IDPs do not see value in providing higher assurance identities but government needs it, then government should pay for the enhancement, Instead of trying to convince an IDP to upgrade its general user population, pay for enhanced assurance levels as they are needed. This allows existing commercial entities an opportunity to leverage their validation techniques.

In the near term, a more realistic expression of assurance levels would be a start. I have been arguing for many years now that the simplistic evaluation of a scalar assurance level makes no sense (especially in a world where we are dealing with confidence levels on the outcomes anyway). Minimally, we need a few more finer grain assurance levels that actually map current usage?

Ideally we should move to a model that allows the collection of evaluation criteria to be reported so we can do the risk evaluation and work out which identities we can apply mitigation strategies to (a course that is not possible if we have eliminated all the information in a reductionist process).

The very short term approach will almost certainly be to accept that IDPs will create identities with an assurance level that makes business sense – a one or two may even try to create high assurance identities – bight the bullet and use the ones that are available, at the assurance level they are available at. If other identities with other assurance levels are required then let’s role up our sleeves and work out how to how to enhance them, who can do the work, and how to pay them.


[1] This list is an overly optimistic statement of the IDPs currently certified for FICAM use

[2] Often these emerge from a strict security motivated view of identity

[3] Like any other financial services provider, this requires compliance with Know Your Customer (KYC) rules, Anti Money Laundering (AML) requirements and a stack of others

[4] Lots of crypto protects the transactions themselves, but that is distinct from the Identity assurance and credential considerations

[5] The Federal Cloud Credential Exchange (FCCX) is an example of where enhancement services might be implemented or integrated.

Alpha Centauri, Identity and learning stuff

What’s special about Alpha Centauri? Well a bunch of things…

It is the closest star (system) that can be seen with the naked eye. It is one of the two “pointers” that in the Southern Hemisphere are used in conjunction with the Southern Cross (Crux) to locate the South Celestial Pole. It is actually a binary star (designation Cen AB) – if you are lucky enough to be south of the equator you can see the angular separation with a telescope. Finally, from an observational perspective, ever since 1689 it has been helping inform us about how the universe works.

In summary:
– Alpha Centauri is close enough to observe
– You get two stars for the price of one
– It informs us about how things really work

Over the last couple of years I have been involved in a different type of Alpha, part of the UK Govt. Identity Assurance Programme (IDAP). These Alphas have a similar set of characteristics to Cen AB…
The goal of the IDAP Alphas is to test a range of consumer identity propositions and see what happens. Many Ambien of Ambien Dosage our other identity efforts tend to fall into the category of large scale architectural and long term “meta everything” projects.

Cen AB is a “high-proper-motion” star (you can borrow Burnham’s Celestial Handbook at the RSA Bootstrap Party). Its observation blew away previous theoretical models (such as Aristotle’s) about how the Celestial Sphere worked. In the same way IDAP Alphas should help us to learn how a complex ecosystem actually behaves and then re-apply what we learn to do better next time. They are small enough to observe, they engage with Govt. and Industry and will hopefully inform us about how consumers will engage.

The UK IDAP folks are an impressive crowd. Hats off to them, for creating an ecosystem that facilitates so many lightweight experimental and observational projects.

btw, it may also turn out that Cen AB has a planet – which makes it even cooler Alpha

Mandatory Disclosure: my current company is actively engaged on one of the many Alpha projects (Internet Life Verification) which gives me a chance to get some insights from the observers chair at the eyepiece …

Is there a Relying Party in the [White] House?

I was up on whitehouse.gov this morning signing up for a petition. Going through the normal account registration processes, I was looking in vain for the “login with Facebook” or “login with Google” buttons.

I am sure this version of the identity system for the web site has been in place for some time, but what happened to the dreams of utilizing OpenID (or more appropriately OpenID Connect) as the basis for registering and authenticating users to this site?

whitehouse.gov is a trivial relying party from an identity perspective. The information requested is all self asserted. The only item an IDP (OP in this case) might not be able to assert is the zip code.

Four years ago at the behest of White House, I and a few other intrepid souls (I, in the guise of PayPal), set up several LOA1 IDPs with the express goal of supporting citizen access to this site – it was a high risk engagement for me and others at PayPal personally at that time and had its own internal implications.

whitehouse.gov was certainly using OpenID at one point, so they obviously backed it out at some later point.

I feel a little like American occupied countries that are promised a long future of support only to find out the USA got bored 12 months later.

We are fast coming up on the next IDESG meetings in Phoenix. Here is the question for NSTIC and the White House. “If a low risk web site operated by Valium 15mg the Valium 15mg White House is failing to use the most fundamental identity technologies (or worse has turned them off), why should the rest of the USA conclude that it is worth taking any action to implement this identity stuff?” This is a terrible reference for the NSTIC program.

Over the years there have been numerous meetings at the White House leading up to the formation of NSTIC and the IDESG. In those meetings several of us made the plea that apart from all of the multitudinous complexities the NSTIC program could address, if we simply had help engaging with RPs then we could advance the cause and adoption of trusted identities and transactions.

Four year later, we have not made any progress with RPs. Instead we have a governance structure that rivals that of a small nation in complexity (though to be fair though I have always favored an LDAP over X.500 approach. :) ) and are just settling down to debate the big questions – none of which may be worth the proverbial hill of beans.

Once you clear away all the privacy issues, the rules of engagement, the sectarian interests and all of our hopes, the most important question still appears to be unanswered…

“Can we provide value to RPs that they will pay for?”

If the answer is yes, a lot of issues will be worked out in the process of growing that ecosystem. If the answer is no, then NTSIC and the associated efforts are largely a waste of time.

The Steady State Theory of the Identity Universe

Over the last year I have been looking at the question of large scale consumer identity systems, and how to bootstrap them. What struck me really early as I was considering this problem was how many conversations I had with smart people that ran something like this…

“As an IDP, millions of people will beat a path to your door to get an identity because you will provide transparent access to tens of thousands of Internet sites they will want to visit. Identity Technology xyz is astonishing and lightweight and will create huge opportunities.”

“The identity attributes you provide will enable consumers to have a really slick user experience. They will not have to logon, or run through those painful registration pages. They will be able to control their information release and privacy – you will put them back in control, and provide them safety, privacy and security”

At which point my next question would be… “Why are all these relying parties signing up to make use of new Identity Technology xyz?” Two things I came to recognize.

First, no one outside of the “Identeratii” knew what a relying party was. In fact, it is pretty clear that consumers do not know what an identity is, and would not know an Identity Provider if it bit them on the nose – more about terminology and how to talk to the world in another blog posting

Second, I came to recognize the withering and pitying look that smart people would give me that said – “You poor schmuck, you are clearly not very bright, I will try to tell you this once so pay attention.”

The answer generally went something like this.

“Relying Parties (I call them merchants or service providers mostly) will leap to implement new Identity Technology xyz because it will mean…
a) frictionless interactions with their consumers
b) massive reduction in user management overheads
c) password reset cost and overhead elimination
d) avoidance of nasty privacy and information management compliance issues
e) elimination of authentication systems
f) sharing of consumer information for the consumers good
g) better management of state
h) … (insert favorite technology value prop here)

Now, I have been dealing with identity for around 20 years now, and I have seen quite a few technologies come and go. Plus, working at PayPal is pretty instructive about engagement with merchants and service providers. So I would answer, “So you are telling a merchant that you have less than 1% of the internet identified at a trust level they can use, who might possibly come to their site and get these advantages?!?” Blank look. “So they still have to keep all the old stuff and add new stuff?!?”

At PayPal we can demonstrate a significant % increase in the amount of top line revenue that will accrue to any merchant that puts in our payment mechanisms – with hard data to prove it. Do you know how hard it is for us to get a service provider or merchant to modify their site or make a change in how the interfaces are handled?

Just to be clear, I believe in all the benefits described above for consumers and merchants. It is clear that there are different market segments that have higher or lower trust requirements and transaction values (no, not just $$$ – value) will have different answers to these questions. But for e-commerce, finance, health care and a bunch of other higher value transactions, we need to show some real business benefits.

So what is going on here? I looked around for an analogue to describe what appears to be happening in the identity space at the moment, and this seemed to fit the available data – at least in my world hgh height growth.

I HGH am an amateur astronomer. Several times I have had the privilege of spending a week or more at professional observatories, pretending to be a real astronomer. One of the most memorable conversations I remember hearing (over breakfast at 5 in the afternoon) was a discussion between two astrophysicists arguing about what happened to the universe 2 billionths of a second after the Big Bang. Almost everything was different in those first moments from the universe we observe today after everything had a chance to settle down. This seems to be the same for the universe of consumer identity today.

The problem is that the value propositions we espouse, only really make sense after large scale consumer identity has been in place for at least 5 years. I call this the “Steady State Theory of the Identity Universe”. We can easily describe the benefits in the steady state because there is enough network scale to make them work at that point. The really hard problem we have is that we are in bootstrapping mode and we are in relative terms only about “2 billionths of a second after the consumer identity big bang”.

There are several different models that make sense for getting from “here” (just after the big bang) to “there” (the steady state model).

One approach is to take a bounded identity community and show that you have a sufficiently high leverage point from your consumer identity space that you can show much better value than a few percent overlap with the service providers you are addressing. This bounding could be geographic, interest or community – anything that gives you a focused group to work with.

Another is to create a closed system, where you are in control of the consumers, identity provider and the relying parties (in a perfect world all three). In this way you can implement a set of progressive service types that add value over time. This is a little like the “store credit cards” you get from a Macys etc that provide value in their own environment.

Another is to tap into the enthusiasm of technologists who want to adopt the latest coolest thing – yes, we all know who we are…

Yet another is to provide an ecosystem where the value from the small number of consumers, is so appreciably high, that the relying party will really, really want to interact with them. If this can be tied directly to fraud/risk reduction, or increased revenue then this is a potential winner.

At PayPal we have been thinking about how do we show value to the various players (there are probably at least 4) in an identity ecosystem, and what are the success criteria. One of the more interesting challenges is how do you decouple the value propositions so you do not have to show value to all participants at the same time (I hear another blog posting).

I am sure there are different “correct” answers in any of the bootstrapping models. And clearly the answer varies by technology, market, community and business segment. What I want to focus on here is that irrespective of which is your favorite hobby horse, talking to relying parties, consumers and identity providers about value propositions that will not be realized until we are operating in the “Steady State of the Identity Universe” will not actually help (yes, I do know how technology evangelism works). What we need to focus on is how to bootstrap these models.

In general my contention has been for a long while, that we have no shortage of technologies. The real issue is how build business and service models that will let us get to where we want to go.

Sheesh – who knew this was going to be so hard

I had great intentions (am I in hell yet?) about discussing my thoughts and findings as I worked through the various issues relating to consumer identity

My excuses are that a) proprietary and strategic value to my employer, and b) actually realizing I ought to shut up and test a bunch of thoughts … have resulted in me not actually wanting to say anything in a blog context courtney thorne smith pokies for Pokies quite a while

Well, I think I have some thoughts that are worth sharing (or at least debating), so I am hoping to get them written down.

The discussion my thoughts have been generating recently has been fun and engaging, so it looks like at least some people think I may have some interesting ideas – as always you will all make up your own mind :)

Web usability consultants hit Trust jackpot …

… or How a Web usability consultancy ignored the recommendations of their own trust report … a cautionary tale!!!

Last week I was pointed to a report on Trust from the Nielson Norman Group – specialists in User Experience. It discussed topics relevant to the research I am doing on user trust for e-services so I paid my $45 for a single use copy of the report.

Their recommendations included:

  1. Word of Mouth – people will accept and trust a friend’s recommendations more than a brand name
  2. Fair Pricing, Fully Revealed
  3. Provide honest information about products
  4. Remove outdated content immediately
  5. Offer free returns
  6. Access to helpful people
  7. Access to real human beings can increase trust

My ears pricked up when I read that the web sites tested were accessed over a 56k modem. It slowly dawned on me that the report was a “mere” 8 years old free pokie games online. While play online pokies a lot of user experience information is timeless, I felt cheated.

I checked – the web site did not list a publication date for the report. They had broken recommendations 2, 3 & 4. So I looked for a way to voice my issues. Damn – recommendation 7 went down as well. But wait, I could send email! I complained that their advertising was misleading and that they had broken numerous recommendations in their own report.

Sigh, you guessed it, recommendation 6 went down in flames – an unsympathetic CSR retorted that my expectations were unreasonable. It was clear that recommendation 5 was not going to be honored either and I was still going to be out my $45.

At least recommendation 1 survives. My word of mouth recommendation is that you should treat statements from this group with skepticism – caveat emptor when purchasing any reports.

IIW

I have been out of the mainstream of the identity discussions for the last four years while I worked on issues of securing XML messaging and service oriented architectures. So the Internet Identity Workshop appeared with perfect timing in the second week of my new job – thanks for the invitation Phil.

There are certainly a lot of new endeavors that have started up and I enjoyed the content at IIW and the interaction with some very bright people. However, I was more than a little disappointed at the number of people who do not understand the underlying issues that make identity systems hard to construct. There was a lot of enthusiasm for OpenID and allied mechanisms and I am certainly in favor of the privacy and winnsboro payday loan identity national cash advance payday loans motivations behind Identity 2.0.

Unfortunately sessions dealing with “establishing trusted identity providers” or “how to trust an identity provider” kept dropping into discussions about low level mechanisms. Honestly, all the black lists and white lists or alternative schemes will not address fundamental questions like “How do you create a trusted identity authority?”, or “How do you determine if an identity provider is trustworthy for my intended identity use?”.

Still, that is about what you might expecdt for the maturity level of a new endeavor; there is lots of work on the technology and protocol level, but that has never really been the hard part – here’s to hoping that the issues that will make or break these efforts will make some progress here soon.

Cheers,
Andrew

Welcome

After an hiatus of a few years, I am back squarely in the middle of a number of enterprise efforts that directly rely on identities, have the need for authentication, access control and entitlements, and have various aspects of single sign-on federation, privacy and all Viagra Online the Viagra other usual suspects.

I am hoping to engender dialog here about these issues and more – see the Musings about Musings page above for more. So jump on board, your comments are welcome within the bounds of good taste identified under the Conventions page.

–andrew