The concept of reusing credentials is nothing new. A host of standards and technologies have grown up over the last decade. SAML, WS-Federation, OAuth, OpenID, and others, have matured from nascent concepts to standards with broad adoption in COTS products. These standards continue to evolve to support new cloud and mobile use cases. Despite these developments and ongoing evolution, the average user has dozens of credentials from a host of industries such as: 1) online merchants, 2) social networks, 3) banks and financial institutions 4) insurance companies 5) email providers 6) utility services, 7) and on and on the list goes.
The Problem
The failure has not been at a technology level, but a story of failed businesses models, liability confusion, user privacy concerns, and marketplace inertia. Here is a brief overview of the challenges faced:
Business Models: The promise of reduced credentialing is to allow application owners to end, or at least greatly reduce their costs for lifecycle management of credentials. Yet most providers of federation operation offer a mix of locally managed credentials, and reusable credentials. How much does this mixed mode actually save the application owner? How do they compensate external Identity Providers for use of their credentials? Without compensation, either direct in the form of payment for issuing credentials, or indirect, such as collecting user data to resell, Identity Providers have little reason to exist.
Liability: When a credential is compromised, and sensitive data lost, who is liable in a federated environment? Is it the provider of the credential? Is this a loss for the application owner’s to absorb? Can financial losses be capped? What federal and state laws apply? What if the access occurs from an international location? What about insuring these losses to mitigate the risks? All common questions asked by Identity Providers and application owners. Without clear answers, application owners often issue their own credentials as the safe play.
User Privacy: How much do you want an Identity Provider to know about the end user, and where their credentials are being used? What privacy policy should be in place? If I accept external credentials, will users even want to use them at the risk of allowing the Identity Provider to profile their activity?
Marketplace Inertia: In the face of uncertainty and risk, keep doing what we have been doing! Change is hard, following the crowd is easy.
Potential Forces of Change
More than in the recent past, business leaders understand the challenges to reusing trusted identities that extend well beyond technology. As such we are seeing a host of changes, both driven by business needs and government policy.
Social Network Credentials: User expectations are changing, driven by the convenience of using social credentials to access applications that host low risk information.
Joint Government/Private Sector initiatives: At the current time there are numerous bodies looking to create an interwoven fabric of trusted credentials, based on Trust Framework Providers. A Trust Framework provider is an organization that defines or adopts an on-line identity trust model and then, certifies Identity Providers that are in compliance with that model.
Government Sponsored Organizations
Private Sector Trust Framework Providers
Will efforts catch fire?
The good news is that it is hard to recall a time when so many separate efforts were cooperating to drive towards the same goals around reusable online identities. Will these current initiatives break the marketplace inertia, or will they go the way of previous well intentioned efforts, that have done little to move the needle on creating ubiquitous reusable trusted identities. What do you think?
-Steve Skordinski