Category Archives: Identity Providers

Meeting an Immovable Object The Economics of Consumer Identity Providers

Uncle_Sam_(pointing_finger)
Your Government Needs Your Consumer Identity Provider

In many parts of the world, Governments have been trying to engage industry IDPs to provide consumer identities to support government & citizen service requirements. In cases such as the US FICAM these results have at best been marginal. [1]

The fundamental reason for lack of commercial IDP engagement is that the government requirements for high assurance credentials[2] leads to expensive identities that are not required for most commercial or enterprise usage. It is not economically interesting to IDPs to invest in creating identities that are designed for unique government requirements.

The motivations for wishing to engage commercial IDPs are essentially sound…

Large scale Consumer Identity Providers have hundreds of millions of consumers that use services that in turn trust the IDP. Consumers IDPs address many issues with friction and the user experience pain associate with occasional usage; large IDPs generally have a significant investment in professional organizations to handle the authentication, identity management, account recovery and risk analysis that cannot be matched by most service providers, including governments. While they are far from perfect IDPs represent a significant center of expertise that have demonstrated identity operation at Internet and International scale.

However, the “assurance” required for in practice for most commercial transactions barely equates to a NIST Level of Assurance (LOA) 2 Identity.

PayPal successfully utilizes its identities for financial transactions (higher assurance requirements than most commercial transactions). These identities have good identity validation[3] but in most cases are only protected by password authentication and use nothing more than session-based protections[4]. The assurance level model hides the fact that high quality identity assurance is being performed, and worse in a formal evaluation would prohibit the identities from being used for financial transactions.

This demonstrates a dilemma. The formal assurance level criteria do not seem to match real world identity usage.

The disparity between the current assurance models and actual usage poses a problem. Governments have been trying to convince commercial IDPs to jump on board and supply the identities they need. In a perfect world, the formal identity assurance specifications might be seen as an aspirational opportunity, that an enlightened world might choose to adopt.

Why would a Google, or a Facebook or a LinkedIn or a Twitter choose to add significant additional cost across hundreds of millions of users in order to meet standards such as those defined by NIST?  It takes only simple math to calculate the cost of a multi-factor authentication solution, or LOA 3 Identity when it is applied across six hundred million consumers…

Commercial IDPs are definitely interested assisting their users to utilize their identities (or at least their authentication credentials) across a broad and growing set of services. This is the basis for recent technology innovations including OpenID Connect, OAuth and Account Chooser. However, the characteristics of the identities supported by IDPs do not correspond to what governments are requiring (hoping for?).

However, vague promises of future revenue considered against a backdrop of significant government and community scrutiny and brand risk, in addition to the high costs of creating LOA 3 identities for government, the additional capabilities that have to be included and the liabilities incurred do not constitute a reasonable business opportunity.

There are ways out of this impasse. But they require different system architectures and operating principles to the ones commercial entities are being asked to comply with.

Several fundamental approaches have merit: Risk Based Identity Evaluation and Mitigation; Separation of Identity Services; Identity Assurance Enhancement (like “step up authentication”); User Pays models.

PayPal’s “low assurance” identities work . However, the characteristics of the identities supported by IDPs do not correspond to what governments are requiring (hoping for?).

However, vague promises of future revenue considered against a backdrop of significant government and community scrutiny and brand risk, in addition to the high costs of creating LOA 3 identities for government, the additional capabilities that have to be included and the liabilities incurred do not constitute a reasonable business opportunity.

There are ways out of this impasse. But they require different system architectures and operating principles to the ones commercial entities are being asked to comply with.

Several fundamental approaches have merit: Risk Based Identity Evaluation and Mitigation; Separation of Identity Services; Identity Assurance Enhancement (like “step up authentication”); User Pays models.

PayPal’s “low assurance” identities work Viagra (hundreds Viagra of millions of dollars of financial transactions are successfully executed daily) because they have implemented effective risk evaluation models and compensating controls that mitigate potential issues.  Current Identity Assurance models assume that identities can be absolutely evaluated and defined. This is clearly nonsense – all identity validation systems provide at best a confidence level (often lower than we would like to believe) on the identities that are being asserted. We need models that clearly support such approaches and recommend how to mitigate corresponding risks.

Reassessing where identity services are delivered and allowing disaggregation of existing architectures would help in several government contexts. Allowing IDPs to simply assert an authentication event and deliver a credential would eliminate the need to invest in identity validation services at the IDPs, and potentially open up new business opportunities, or at least allow the gap in existing service capabilities to be addressed.

Identity assurance enhancement assumes that consumer IDPs will provide what is commercially viable, and then some other entity must enhance them so they have characteristics in keeping with desires of the services that will use them. Enhancement may take the form of a service; it may be offered on a per relying party basis or as a central function supporting many service users[5]; it may be created by government, alternatively some commercial entity may see a business opportunity and offer it as a service to government.

The user pays model goes hand in hand with the identity assurance enhancement model. If IDPs do not see value in providing higher assurance identities but government needs it, then government should pay for the enhancement, Instead of trying to convince an IDP to upgrade its general user population, pay for enhanced assurance levels as they are needed. This allows existing commercial entities an opportunity to leverage their validation techniques.

In the near term, a more realistic expression of assurance levels would be a start. I have been arguing for many years now that the simplistic evaluation of a scalar assurance level makes no sense (especially in a world where we are dealing with confidence levels on the outcomes anyway). Minimally, we need a few more finer grain assurance levels that actually map current usage?

Ideally we should move to a model that allows the collection of evaluation criteria to be reported so we can do the risk evaluation and work out which identities we can apply mitigation strategies to (a course that is not possible if we have eliminated all the information in a reductionist process).

The very short term approach will almost certainly be to accept that IDPs will create identities with an assurance level that makes business sense – a one or two may even try to create high assurance identities – bight the bullet and use the ones that are available, at the assurance level they are available at. If other identities with other assurance levels are required then let’s role up our sleeves and work out how to how to enhance them, who can do the work, and how to pay them.


[1] This list is an overly optimistic statement of the IDPs currently certified for FICAM use

[2] Often these emerge from a strict security motivated view of identity

[3] Like any other financial services provider, this requires compliance with Know Your Customer (KYC) rules, Anti Money Laundering (AML) requirements and a stack of others

[4] Lots of crypto protects the transactions themselves, but that is distinct from the Identity assurance and credential considerations

[5] The Federal Cloud Credential Exchange (FCCX) is an example of where enhancement services might be implemented or integrated.

The Identity Information Ecosystem is ready for Startups

The Consumer Identity world has changed substantially over the last 6 or 7 years (a personal reference point).

We have seen a lot of developments over that time. At a protocol level there have been several iterations of OpenID, the new one is pretty sexy (thanks Mike, John and Nat); Information Cards came and went; OAuth appeared and improved. The Open Identity eXchange was jointly founded by the OIDF and the ICF. We had meetings with White House CIO’s, meetings with National Security Czars in the White House Situation Room and the Minister for the UK Cabinet In the Cabinet Offices. The National Strategy for Trusted Identities in Cyberspace (NSTIC) was launched and advised. DIDW passed away (even more sadly so have some Identity friends), as did Sun Microsystems but the Internet Identity Workshop, Ping Identity and the Cloud Identity Summit develed or emerged, as did many new friends and concepts.

Six years ago, it was clear that to have a significant effect on the development of Consumer Identity, you had to start with a large collection of users and have a brand recognized and trusted by consumers(1).

Breaking out of the bootstrapping chasm seemed an insurmountable challenge for a startup. I badly wanted to work in a Consumer Identity startup after playing in the XML Gateway space for a while. However, the history of the various identity start-ups over that period validated my conclusion that it was not a good time to engage as a startup. Fortunately , Michael Barrett inveigled me to join at PayPal (after dangling the 600 million eBay Inc consumer identities in front of me). Since then I have been waiting impatiently for enough technology, platform, ecosystem and value to develop that would allow an identity startup to have a reasonable chance at success.

I joined Google to help create a consumer identity/information framework (platform, ecosystem, or whatever you prefer to call it). The Open Attribute Exchange work (part of OIX now) that started as Street Identity has been an enormously fun and exciting ride. I have learned a *huge* amount and had an opportunity to build on the conceptual work we had started at PayPal.

Like anything significant, it has had its share of frustrations.

A few months ago, wrestling the Xanax Attribute Xanax Exchange concepts through the Legal, Operations, PR, Policy, Privacy, Government folks in Google (all of whom are very bright, thoughtful and professional people) – in several countries – I hit a major frustration point. Driving home that afternoon it struck me that the ecosystem, technology and business engagements we have developed over the last few years had created the starting point for successful startups. It also became clear how to leverage the major IDP’s in several different ways.

Well, we have successfully completed the Attribute Exchange work and have a number of companies actively piloting solutions built on the framework. Fully operational API’s blessed by all of the  required Google groups have been launched and are available for you to work with.

The challenge is that Google for a host of reasons has to play an enabling role in the Consumer Identity/Attribute Exchange world. It can help create the playground, but does not get to have fun playing on the swings or monkey bars. Other companies have to develop the new business models, value propositions, use cases and solutions that will advance Consumer Information sharing models.

I have decided (somewhat sadly) it is time to move from Google for a consumer identity information startup (yes, I am the kid that liked to leap off the swing at the top of its arc).

I am hugely excited to announce that I will be taking on the role of CTO for Trulioo, (www.trulioo.com) working in the area of social identity verification.

To those of you that have shared in the ride so far, I would like to extend my thanks for what I have learned from you and what we have managed to build to date. I hope to continue to engage with you as Trulioo helps enable you as an individual to access the services you need, with the control and insight we as consumers would all like to have.

————–

(1) The bootstrapping chasm was clear. To provide value to consumers you needed to have a very large number of service providers (relying parties) to justify the investment in creating and managing an identity. However, to get large numbers of relying parties, you needed to have a large consumer base and significant coverage of the customer base.

The Steady State Theory of the Identity Universe

Over the last year I have been looking at the question of large scale consumer identity systems, and how to bootstrap them. What struck me really early as I was considering this problem was how many conversations I had with smart people that ran something like this…

“As an IDP, millions of people will beat a path to your door to get an identity because you will provide transparent access to tens of thousands of Internet sites they will want to visit. Identity Technology xyz is astonishing and lightweight and will create huge opportunities.”

“The identity attributes you provide will enable consumers to have a really slick user experience. They will not have to logon, or run through those painful registration pages. They will be able to control their information release and privacy – you will put them back in control, and provide them safety, privacy and security”

At which point my next question would be… “Why are all these relying parties signing up to make use of new Identity Technology xyz?” Two things I came to recognize.

First, no one outside of the “Identeratii” knew what a relying party was. In fact, it is pretty clear that consumers do not know what an identity is, and would not know an Identity Provider if it bit them on the nose – more about terminology and how to talk to the world in another blog posting

Second, I came to recognize the withering and pitying look that smart people would give me that said – “You poor schmuck, you are clearly not very bright, I will try to tell you this once so pay attention.”

The answer generally went something like this.

“Relying Parties (I call them merchants or service providers mostly) will leap to implement new Identity Technology xyz because it will mean…
a) frictionless interactions with their consumers
b) massive reduction in user management overheads
c) password reset cost and overhead elimination
d) avoidance of nasty privacy and information management compliance issues
e) elimination of authentication systems
f) sharing of consumer information for the consumers good
g) better management of state
h) … (insert favorite technology value prop here)

Now, I have been dealing with identity for around 20 years now, and I have seen quite a few technologies come and go. Plus, working at PayPal is pretty instructive about engagement with merchants and service providers. So I would answer, “So you are telling a merchant that you have less than 1% of the internet identified at a trust level they can use, who might possibly come to their site and get these advantages?!?” Blank look. “So they still have to keep all the old stuff and add new stuff?!?”

At PayPal we can demonstrate a significant % increase in the amount of top line revenue that will accrue to any merchant that puts in our payment mechanisms – with hard data to prove it. Do you know how hard it is for us to get a service provider or merchant to modify their site or make a change in how the interfaces are handled?

Just to be clear, I believe in all the benefits described above for consumers and merchants. It is clear that there are different market segments that have higher or lower trust requirements and transaction values (no, not just $$$ – value) will have different answers to these questions. But for e-commerce, finance, health care and a bunch of other higher value transactions, we need to show some real business benefits.

So what is going on here? I looked around for an analogue to describe what appears to be happening in the identity space at the moment, and this seemed to fit the available data – at least in my world hgh height growth.

I HGH am an amateur astronomer. Several times I have had the privilege of spending a week or more at professional observatories, pretending to be a real astronomer. One of the most memorable conversations I remember hearing (over breakfast at 5 in the afternoon) was a discussion between two astrophysicists arguing about what happened to the universe 2 billionths of a second after the Big Bang. Almost everything was different in those first moments from the universe we observe today after everything had a chance to settle down. This seems to be the same for the universe of consumer identity today.

The problem is that the value propositions we espouse, only really make sense after large scale consumer identity has been in place for at least 5 years. I call this the “Steady State Theory of the Identity Universe”. We can easily describe the benefits in the steady state because there is enough network scale to make them work at that point. The really hard problem we have is that we are in bootstrapping mode and we are in relative terms only about “2 billionths of a second after the consumer identity big bang”.

There are several different models that make sense for getting from “here” (just after the big bang) to “there” (the steady state model).

One approach is to take a bounded identity community and show that you have a sufficiently high leverage point from your consumer identity space that you can show much better value than a few percent overlap with the service providers you are addressing. This bounding could be geographic, interest or community – anything that gives you a focused group to work with.

Another is to create a closed system, where you are in control of the consumers, identity provider and the relying parties (in a perfect world all three). In this way you can implement a set of progressive service types that add value over time. This is a little like the “store credit cards” you get from a Macys etc that provide value in their own environment.

Another is to tap into the enthusiasm of technologists who want to adopt the latest coolest thing – yes, we all know who we are…

Yet another is to provide an ecosystem where the value from the small number of consumers, is so appreciably high, that the relying party will really, really want to interact with them. If this can be tied directly to fraud/risk reduction, or increased revenue then this is a potential winner.

At PayPal we have been thinking about how do we show value to the various players (there are probably at least 4) in an identity ecosystem, and what are the success criteria. One of the more interesting challenges is how do you decouple the value propositions so you do not have to show value to all participants at the same time (I hear another blog posting).

I am sure there are different “correct” answers in any of the bootstrapping models. And clearly the answer varies by technology, market, community and business segment. What I want to focus on here is that irrespective of which is your favorite hobby horse, talking to relying parties, consumers and identity providers about value propositions that will not be realized until we are operating in the “Steady State of the Identity Universe” will not actually help (yes, I do know how technology evangelism works). What we need to focus on is how to bootstrap these models.

In general my contention has been for a long while, that we have no shortage of technologies. The real issue is how build business and service models that will let us get to where we want to go.

IIW

I have been out of the mainstream of the identity discussions for the last four years while I worked on issues of securing XML messaging and service oriented architectures. So the Internet Identity Workshop appeared with perfect timing in the second week of my new job – thanks for the invitation Phil.

There are certainly a lot of new endeavors that have started up and I enjoyed the content at IIW and the interaction with some very bright people. However, I was more than a little disappointed at the number of people who do not understand the underlying issues that make identity systems hard to construct. There was a lot of enthusiasm for OpenID and allied mechanisms and I am certainly in favor of the privacy and winnsboro payday loan identity national cash advance payday loans motivations behind Identity 2.0.

Unfortunately sessions dealing with “establishing trusted identity providers” or “how to trust an identity provider” kept dropping into discussions about low level mechanisms. Honestly, all the black lists and white lists or alternative schemes will not address fundamental questions like “How do you create a trusted identity authority?”, or “How do you determine if an identity provider is trustworthy for my intended identity use?”.

Still, that is about what you might expecdt for the maturity level of a new endeavor; there is lots of work on the technology and protocol level, but that has never really been the hard part – here’s to hoping that the issues that will make or break these efforts will make some progress here soon.

Cheers,
Andrew