Category Archives: The Business of Identity

“Meeting an Immovable Object” – The Economics of Consumer Identity Providers

Uncle_Sam_(pointing_finger)
Your Government Needs Your Consumer Identity Provider

In many parts of the world, Governments have been trying to engage industry IDPs to provide consumer identities to support government & citizen service requirements. In cases such as the US FICAM these results have at best been marginal. [1]

The fundamental reason for lack of commercial IDP engagement is that the government requirements for high assurance credentials[2] leads to expensive identities that are not required for most commercial or enterprise usage. It is not economically interesting to IDPs to invest in creating identities that are designed for unique government requirements.

The motivations for wishing to engage commercial IDPs are essentially sound…

Large scale Consumer Identity Providers have hundreds of millions of consumers that use services that in turn trust the IDP. Consumers IDPs address many issues with friction and the user experience pain associate with occasional usage; large IDPs generally have a significant investment in professional organizations to handle the authentication, identity management, account recovery and risk analysis that cannot be matched by most service providers, including governments. While they are far from perfect IDPs represent a significant center of expertise that have demonstrated identity operation at Internet and International scale.

However, the “assurance” required for in practice for most commercial transactions barely equates to a NIST Level of Assurance (LOA) 2 Identity.

PayPal successfully utilizes its identities for financial transactions (higher assurance requirements than most commercial transactions). These identities have good identity validation[3] but in most cases are only protected by password authentication and use nothing more than session-based protections[4]. The assurance level model hides the fact that high quality identity assurance is being performed, and worse in a formal evaluation would prohibit the identities from being used for financial transactions.

This demonstrates a dilemma. The formal assurance level criteria do not seem to match real world identity usage.

The disparity between the current assurance models and actual usage poses a problem. Governments have been trying to convince commercial IDPs to jump on board and supply the identities they need. In a perfect world, the formal identity assurance specifications might be seen as an aspirational opportunity, that an enlightened world might choose to adopt.

Why would a Google, or a Facebook or a LinkedIn or a Twitter choose to add significant additional cost across hundreds of millions of users in order to meet standards such as those defined by NIST?  It takes only simple math to calculate the cost of a multi-factor authentication solution, or LOA 3 Identity when it is applied across six hundred million consumers…

Commercial IDPs are definitely interested assisting their users to utilize their identities (or at least their authentication credentials) across a broad and growing set of services. This is the basis for recent technology innovations including OpenID Connect, OAuth and Account Chooser. However, the characteristics of the identities supported by IDPs do not correspond to what governments are requiring (hoping for?).

However, vague promises of future revenue considered against a backdrop of significant government and community scrutiny and brand risk, in addition to the high costs of creating LOA 3 identities for government, the additional capabilities that have to be included and the liabilities incurred do not constitute a reasonable business opportunity.

There are ways out of this impasse. But they require different system architectures and operating principles to the ones commercial entities are being asked to comply with.

Several fundamental approaches have merit: Risk Based Identity Evaluation and Mitigation; Separation of Identity Services; Identity Assurance Enhancement (like “step up authentication”); User Pays models.

PayPal’s “low assurance” identities work (hundreds of millions of dollars of financial transactions are successfully executed daily) because they have implemented effective risk evaluation models and compensating controls that mitigate potential issues.  Current Identity Assurance models assume that identities can be absolutely evaluated and defined. This is clearly nonsense – all identity validation systems provide at best a confidence level (often lower than we would like to believe) on the identities that are being asserted. We need models that clearly support such approaches and recommend how to mitigate corresponding risks.

Reassessing where identity services are delivered and allowing disaggregation of existing architectures would help in several government contexts. Allowing IDPs to simply assert an authentication event and deliver a credential would eliminate the need to invest in identity validation services at the IDPs, and potentially open up new business opportunities, or at least allow the gap in existing service capabilities to be addressed.

Identity assurance enhancement assumes that consumer IDPs will provide what is commercially viable, and then some other entity must enhance them so they have characteristics in keeping with desires of the services that will use them. Enhancement may take the form of a service; it may be offered on a per relying party basis or as a central function supporting many service users[5]; it may be created by government, alternatively some commercial entity may see a business opportunity and offer it as a service to government.

The user pays model goes hand in hand with the identity assurance enhancement model. If IDPs do not see value in providing higher assurance identities but government needs it, then government should pay for the enhancement, Instead of trying to convince an IDP to upgrade its general user population, pay for enhanced assurance levels as they are needed. This allows existing commercial entities an opportunity to leverage their validation techniques.

In the near term, a more realistic expression of assurance levels would be a start. I have been arguing for many years now that the simplistic evaluation of a scalar assurance level makes no sense (especially in a world where we are dealing with confidence levels on the outcomes anyway). Minimally, we need a few more finer grain assurance levels that actually map current usage?

Ideally we should move to a model that allows the collection of evaluation criteria to be reported so we can do the risk evaluation and work out which identities we can apply mitigation strategies to (a course that is not possible if we have eliminated all the information in a reductionist process).

The very short term approach will almost certainly be to accept that IDPs will create identities with an assurance level that makes business sense – a one or two may even try to create high assurance identities – bight the bullet and use the ones that are available, at the assurance level they are available at. If other identities with other assurance levels are required then let’s role up our sleeves and work out how to how to enhance them, who can do the work, and how to pay them.


[1] This list is an overly optimistic statement of the IDPs currently certified for FICAM use

[2] Often these emerge from a strict security motivated view of identity

[3] Like any other financial services provider, this requires compliance with Know Your Customer (KYC) rules, Anti Money Laundering (AML) requirements and a stack of others

[4] Lots of crypto protects the transactions themselves, but that is distinct from the Identity assurance and credential considerations

[5] The Federal Cloud Credential Exchange (FCCX) is an example of where enhancement services might be implemented or integrated.

Is there a Relying Party in the [White] House?

I was up on whitehouse.gov this morning signing up for a petition. Going through the normal account registration processes, I was looking in vain for the “login with Facebook” or “login with Google” buttons.

I am sure this version of the identity system for the web site has been in place for some time, but what happened to the dreams of utilizing OpenID (or more appropriately OpenID Connect) as the basis for registering and authenticating users to this site?

whitehouse.gov is a trivial relying party from an identity perspective. The information requested is all self asserted. The only item an IDP (OP in this case) might not be able to assert is the zip code.

Four years ago at the behest of White House, I and a few other intrepid souls (I, in the guise of PayPal), set up several LOA1 IDPs with the express goal of supporting citizen access to this site – it was a high risk engagement for me and others at PayPal personally at that time and had its own internal implications.

whitehouse.gov was certainly using OpenID at one point, so they obviously backed it out at some later point.

I feel a little like American occupied countries that are promised a long future of support only to find out the USA got bored 12 months later.

We are fast coming up on the next IDESG meetings in Phoenix. Here is the question for NSTIC and the White House. “If a low risk web site operated by the White House is failing to use the most fundamental identity technologies (or worse has turned them off), why should the rest of the USA conclude that it is worth taking any action to implement this identity stuff?” This is a terrible reference for the NSTIC program.

Over the years there have been numerous meetings at the White House leading up to the formation of NSTIC and the IDESG. In those meetings several of us made the plea that apart from all of the multitudinous complexities the NSTIC program could address, if we simply had help engaging with RPs then we could advance the cause and adoption of trusted identities and transactions.

Four year later, we have not made any progress with RPs. Instead we have a governance structure that rivals that of a small nation in complexity (though to be fair though I have always favored an LDAP over X.500 approach. :) ) and are just settling down to debate the big questions – none of which may be worth the proverbial hill of beans.

Once you clear away all the privacy issues, the rules of engagement, the sectarian interests and all of our hopes, the most important question still appears to be unanswered…

“Can we provide value to RPs that they will pay for?”

If the answer is yes, a lot of issues will be worked out in the process of growing that ecosystem. If the answer is no, then NTSIC and the associated efforts are largely a waste of time.

The Identity Information Ecosystem is ready for Startups

The Consumer Identity world has changed substantially over the last 6 or 7 years (a personal reference point).

We have seen a lot of developments over that time. At a protocol level there have been several iterations of OpenID, the new one is pretty sexy (thanks Mike, John and Nat); Information Cards came and went; OAuth appeared and improved. The Open Identity eXchange was jointly founded by the OIDF and the ICF. We had meetings with White House CIO’s, meetings with National Security Czars in the White House Situation Room and the Minister for the UK Cabinet In the Cabinet Offices. The National Strategy for Trusted Identities in Cyberspace (NSTIC) was launched and advised. DIDW passed away (even more sadly so have some Identity friends), as did Sun Microsystems but the Internet Identity Workshop, Ping Identity and the Cloud Identity Summit develed or emerged, as did many new friends and concepts.

Six years ago, it was clear that to have a significant effect on the development of Consumer Identity, you had to start with a large collection of users and have a brand recognized and trusted by consumers(1).

Breaking out of the bootstrapping chasm seemed an insurmountable challenge for a startup. I badly wanted to work in a Consumer Identity startup after playing in the XML Gateway space for a while. However, the history of the various identity start-ups over that period validated my conclusion that it was not a good time to engage as a startup. Fortunately , Michael Barrett inveigled me to join at PayPal (after dangling the 600 million eBay Inc consumer identities in front of me). Since then I have been waiting impatiently for enough technology, platform, ecosystem and value to develop that would allow an identity startup to have a reasonable chance at success.

I joined Google to help create a consumer identity/information framework (platform, ecosystem, or whatever you prefer to call it). The Open Attribute Exchange work (part of OIX now) that started as Street Identity has been an enormously fun and exciting ride. I have learned a *huge* amount and had an opportunity to build on the conceptual work we had started at PayPal.

Like anything significant, it has had its share of frustrations.

A few months ago, wrestling the Attribute Exchange concepts through the Legal, Operations, PR, Policy, Privacy, Government folks in Google (all of whom are very bright, thoughtful and professional people) – in several countries – I hit a major frustration point. Driving home that afternoon it struck me that the ecosystem, technology and business engagements we have developed over the last few years had created the starting point for successful startups. It also became clear how to leverage the major IDP’s in several different ways.

Well, we have successfully completed the Attribute Exchange work and have a number of companies actively piloting solutions built on the framework. Fully operational API’s blessed by all of the  required Google groups have been launched and are available for you to work with.

The challenge is that Google for a host of reasons has to play an enabling role in the Consumer Identity/Attribute Exchange world. It can help create the playground, but does not get to have fun playing on the swings or monkey bars. Other companies have to develop the new business models, value propositions, use cases and solutions that will advance Consumer Information sharing models.

I have decided (somewhat sadly) it is time to move from Google for a consumer identity information startup (yes, I am the kid that liked to leap off the swing at the top of its arc).

I am hugely excited to announce that I will be taking on the role of CTO for Trulioo, (www.trulioo.com) working in the area of social identity verification.

To those of you that have shared in the ride so far, I would like to extend my thanks for what I have learned from you and what we have managed to build to date. I hope to continue to engage with you as Trulioo helps enable you as an individual to access the services you need, with the control and insight we as consumers would all like to have.

————–

(1) The bootstrapping chasm was clear. To provide value to consumers you needed to have a very large number of service providers (relying parties) to justify the investment in creating and managing an identity. However, to get large numbers of relying parties, you needed to have a large consumer base and significant coverage of the customer base.

The Steady State Theory of the Identity Universe

Over the last year I have been looking at the question of large scale consumer identity systems, and how to bootstrap them. What struck me really early as I was considering this problem was how many conversations I had with smart people that ran something like this…

“As an IDP, millions of people will beat a path to your door to get an identity because you will provide transparent access to tens of thousands of Internet sites they will want to visit. Identity Technology xyz is astonishing and lightweight and will create huge opportunities.”

“The identity attributes you provide will enable consumers to have a really slick user experience. They will not have to logon, or run through those painful registration pages. They will be able to control their information release and privacy – you will put them back in control, and provide them safety, privacy and security”

At which point my next question would be… “Why are all these relying parties signing up to make use of new Identity Technology xyz?” Two things I came to recognize.

First, no one outside of the “Identeratii” knew what a relying party was. In fact, it is pretty clear that consumers do not know what an identity is, and would not know an Identity Provider if it bit them on the nose – more about terminology and how to talk to the world in another blog posting

Second, I came to recognize the withering and pitying look that smart people would give me that said – “You poor schmuck, you are clearly not very bright, I will try to tell you this once so pay attention.”

The answer generally went something like this.

“Relying Parties (I call them merchants or service providers mostly) will leap to implement new Identity Technology xyz because it will mean…
a) frictionless interactions with their consumers
b) massive reduction in user management overheads
c) password reset cost and overhead elimination
d) avoidance of nasty privacy and information management compliance issues
e) elimination of authentication systems
f) sharing of consumer information for the consumers good
g) better management of state
h) … (insert favorite technology value prop here)

Now, I have been dealing with identity for around 20 years now, and I have seen quite a few technologies come and go. Plus, working at PayPal is pretty instructive about engagement with merchants and service providers. So I would answer, “So you are telling a merchant that you have less than 1% of the internet identified at a trust level they can use, who might possibly come to their site and get these advantages?!?” Blank look. “So they still have to keep all the old stuff and add new stuff?!?”

At PayPal we can demonstrate a significant % increase in the amount of top line revenue that will accrue to any merchant that puts in our payment mechanisms – with hard data to prove it. Do you know how hard it is for us to get a service provider or merchant to modify their site or make a change in how the interfaces are handled?

Just to be clear, I believe in all the benefits described above for consumers and merchants. It is clear that there are different market segments that have higher or lower trust requirements and transaction values (no, not just $$$ – value) will have different answers to these questions. But for e-commerce, finance, health care and a bunch of other higher value transactions, we need to show some real business benefits.

So what is going on here? I looked around for an analogue to describe what appears to be happening in the identity space at the moment, and this seemed to fit the available data – at least in my world.

I am an amateur astronomer. Several times I have had the privilege of spending a week or more at professional observatories, pretending to be a real astronomer. One of the most memorable conversations I remember hearing (over breakfast at 5 in the afternoon) was a discussion between two astrophysicists arguing about what happened to the universe 2 billionths of a second after the Big Bang. Almost everything was different in those first moments from the universe we observe today after everything had a chance to settle down. This seems to be the same for the universe of consumer identity today.

The problem is that the value propositions we espouse, only really make sense after large scale consumer identity has been in place for at least 5 years. I call this the “Steady State Theory of the Identity Universe”. We can easily describe the benefits in the steady state because there is enough network scale to make them work at that point. The really hard problem we have is that we are in bootstrapping mode and we are in relative terms only about “2 billionths of a second after the consumer identity big bang”.

There are several different models that make sense for getting from “here” (just after the big bang) to “there” (the steady state model).

One approach is to take a bounded identity community and show that you have a sufficiently high leverage point from your consumer identity space that you can show much better value than a few percent overlap with the service providers you are addressing. This bounding could be geographic, interest or community – anything that gives you a focused group to work with.

Another is to create a closed system, where you are in control of the consumers, identity provider and the relying parties (in a perfect world all three). In this way you can implement a set of progressive service types that add value over time. This is a little like the “store credit cards” you get from a Macys etc that provide value in their own environment.

Another is to tap into the enthusiasm of technologists who want to adopt the latest coolest thing – yes, we all know who we are…

Yet another is to provide an ecosystem where the value from the small number of consumers, is so appreciably high, that the relying party will really, really want to interact with them. If this can be tied directly to fraud/risk reduction, or increased revenue then this is a potential winner.

At PayPal we have been thinking about how do we show value to the various players (there are probably at least 4) in an identity ecosystem, and what are the success criteria. One of the more interesting challenges is how do you decouple the value propositions so you do not have to show value to all participants at the same time (I hear another blog posting).

I am sure there are different “correct” answers in any of the bootstrapping models. And clearly the answer varies by technology, market, community and business segment. What I want to focus on here is that irrespective of which is your favorite hobby horse, talking to relying parties, consumers and identity providers about value propositions that will not be realized until we are operating in the “Steady State of the Identity Universe” will not actually help (yes, I do know how technology evangelism works). What we need to focus on is how to bootstrap these models.

In general my contention has been for a long while, that we have no shortage of technologies. The real issue is how build business and service models that will let us get to where we want to go.

Sheesh – who knew this was going to be so hard

I had great intentions (am I in hell yet?) about discussing my thoughts and findings as I worked through the various issues relating to consumer identity

My excuses are that a) proprietary and strategic value to my employer, and b) actually realizing I ought to shut up and test a bunch of thoughts … have resulted in me not actually wanting to say anything in a blog context for quite a while

Well, I think I have some thoughts that are worth sharing (or at least debating), so I am hoping to get them written down.

The discussion my thoughts have been generating recently has been fun and engaging, so it looks like at least some people think I may have some interesting ideas – as always you will all make up your own mind :)