The issue of identity authentication and security is front of mind for both the public and the banks. Identity theft is at an all time high with fraudsters deploying a wide range of techniques to steal personal identities. At the same time organizations, be they banks, other enterprises or the public sector, have struggled to justify the extensive costs that are associated with mass-deployed and flexible identity systems that are required to meet the identity fraud challenge.
It is for these reasons that the approach to identity security networks has been evolving rapidly in recent years with the advent of integrated identity networks being the latest innovative technique which has shown the potential to resolve many of the issues that have plagued this area of security. Its use at the heart of the BACSTEL-IP system is an award-winning example of the successful implementation of this approach.
Identity security has developed beyond the simplest form of authentication where one-party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.
As such, a more common technique being used widely today is the use of a federated identity network. This allows individuals to use one form of identity to authenticate themselves to a range of different organizations. As such, an individual could use one username/password, token/PIN, digital certificate/passcode issued by one organization for authenticating themselves to a completely different organization.
This approach solves many of the problems associated with the closed group identity security approach. For a start, the enormous investment involved in issuing digital certificates on smart cards, for example, can be recouped to some extent, by deriving revenue from allowing other organizations to authenticate their users with the same identity. There are also benefits for the users themselves as they do not need to carry or memorize a wide range of different passwords, PINs or tokens such as smart cards. In addition, co-branding and other marketing opportunities can be used to generate extra revenue within the community of organizations that are using the same federated identity group.
There are, however, significant challenges with this approach. Central to this is the level of trust that must be given by an organization using another organization’s authentication network. Essentially, an organization that is joining another’s authentication network must have confidence in the checks that have been carried out to guarantee the identity of the user. Privacy laws have further compounded this as one organization is unlikely to be able to share any meaningful information with another organization to prove that these checks are robust.
The result is that such schemes tend to rely upon the lowest common denominator authentication (typically username/password) and are used within small communities of interest. The ability to use a federated identity approach in a highly scalable environment is limited because of the levels of risk involved in relying upon the work of the issuing organization. However there have been notable implementations such as the USA CAC program where the departments are required to use a universal registration process.
It is for this reason that a new integrated identity approach has emerged in the last two to three years. In this approach the focus is on a single application being used at the hub of the authentication network which allows all participating organizations to be issuers.
The key lies in the use of an authentication platform that is flexible enough to accept the digital credentials of any participating organization. A good example of this is the new BACSTEL-IP system. When BACS (now VOCA) wished to deploy a smart card based digital identity solution, it needed to be able to authenticate a variety of different trust schemes, including Identrus and various member banks’ own PKI certificates. It therefore faced head on the need to have one platform that could authenticate any trust scheme. The success of the system that was eventually deployed has since received critical acclaim.
An additional advantage of the integrated approach is that it need not err towards the lowest common denominator digital identity solution – i.e. username/password. Therefore, should an organization within the integrated identity group want to be able to use stronger identity for some, if not all, of its transactions then this is possible without interfering with the requirements of other participants. As such, one organization may consistently have high transaction values that would justify and require a more robust authentication solution than lower value transactions would. This is based upon a financial risk versus cost of solution basis.
Integrated identity also circumvents the data privacy issue as each organization need only access the particular information that needs to be used during the authentication process for that transaction to take place. If the user wished for personal information to be held for use by multiple parties then this can still be done. However, it is much more likely that each application will hold the minimum amount of information required. Other, more sensitive details such as trading limits can then be held completely independently of any other party within the community.
It is envisioned that both federated and integrated identity networks will be increasingly deployed. The federated approach is thoroughly suitable for small communities that have rich, intensive interactions with simple risk management requirements. For large application owners who want a simple means of deploying and managing applications across a range of communities, the integrated approach will be preferable. This is especially because it also allows for a tiered authentication and risk model, and addresses privacy issues. Furthermore, it has the advantage of allowing any digital identity credentials that are already deployed to be used.
The author is head of transaction security of the e-security activities of Thales.