Why we don't have federated consumer online identity
When I started out this blog I promised to mention if any posts have a VeriSign bias, this one mentions our technology (and the open standards they are based on) but still reflects my opinion rather than that of my company.
What is a federated consumer online Identity?
The general idea is that a consumer would have the ability to log on to one site and then automatically be able to log on to the different site with the same credentials (i.e. his or her identity would be transferable across multiple sites without the need to prove who that person was all over again). This of course makes the whole online commerce experience much easier and safer for the consumer and reduces the fraud that online companies experience.
Why don't we have it now?
I was involved in consumer authentication as far back as 1999. We were going to change the world with "federated consumer online identities" based on Public Key Infrastructure (PKI) technology. We didn't.
The reasons that my organisation at the time, and others since, failed are multiple but the major reason I think is something called Identity Proofing.
Identity proofing
Identity proofing refers to the process for deciding that the person who wants to start an online account at a site is really who they say they are. Think about an online book reseller such as Amazon. They "ID proof" a consumer by asking for valid credit card details with accompanying address data. That is fine for Amazon, but if that consumer then wanted to apply for a loan at an online bank they had no previous relationship with, the details provided to Amazon would not be enough for that bank to approve the loan.
In other words the ID proofing needed for consumers at different sites varies. And ID proofing is expensive / time consuming. Imagine buying that book at Amazon, would you want to have to go through the same process that you did for an online loan to buy a book?
What isn't different at the online book reseller and the online bank is the way that account is accessed after the account has been set up. Usually a username and password, sometimes referred to as a 1st factor of authentication.
At sites such as online banking companies, the consumer might also be asked for second factor of authentication such as a password which can only be used once generated from a token (i.e. PinSentry from Barclays in UK) or a password from a number grid (i.e. TAN system in Germany).
This second factor adds another layer of security which makes it very hard for a consumer to have his or her account taken over by a fraudster through techniques like "Phishing".
As the banks around the world have started to introduce second factor authentication the fraudsters have started to move towards other easier phishing targets like national tax revenue agencies, online gaming / gambling and even motorists associations!
This trend will continue as fraudsters go for the sites with the weakest security.
So given that, I think it is fair to say that almost any online site where there is a value to the fraudster in gaining access to an account will start to experience phishing.
This means that although the ID proofing element on each site may be different, the authentication methods used to access that account are starting to be a shared problem.
Now when we take ID proofing out of a federated online identity, we can start to see that the remaining authentication elements can actually be "federated".
Look at Open ID. This federates the first factor of authentication (user name and password) across any site a consumer interacts with.
Look at OATH (openauthentication.org) which federates the second factor of authentication across any site a consumer interacts with.
I usually sum the situation up in the following picture:
I don't believe we will see a federated consumer online identity anytime in the near future, but like any problem, by breaking it down into smaller chunks we can start to see some major progress towards our goal of making it easy for a consumer to have secure online relationships which are easy for them to manage.
