• Credit: Shutterstock/Mad Dog
     Credit: Shutterstock/Mad Dog

Pioneer of Federated Identity Concept Urges Fed ID to Abandon the Dream and Move On

August 31, 2021
By Shaun Waterman

It’s time to abandon the dream of an open, federated, multiplayer identity-provider ecosystem and move on, one of the pioneers of the concept told AFCEA’s 2021 Federal Identity Forum and Expo Tuesday.

“This federation dream that we've been hanging on to a long time, this model of anybody can get a credential from dozens or hundreds of identity providers and use it everywhere, hasn't taken hold, and I don't think it's going to anytime soon,” Jeremy Grant, coordinator of the Better Identity Coalition, said.

As a National Institute of Standards and Technology (NIST) official, Grant led the 2011 National Strategy for Trusted Identity in Cyberspace, the Obama administration’s ambitious plan to use government research and development seed money to kick-start a federated identity ecosystem. He took part in a Fed ID colloquy with former NIST colleague Paul Grassi, now an identity executive with Amazon Web Services.

Federated identity relies on a market model where consumers or citizens can sign up with an identity provider, who will then vouch for their identity with so-called relying parties, such as retail websites or government agencies. The consumer/citizen can then log on to those relying party sites via their identity provider without having to create a new account.

Central to the concept is a trust framework or certification program that identity providers have to comply with, and sets clear standards that relying parties can depend on as a guarantee the person logging on is who they say they are.

“These certification programs, these monolithic programs, are not gaining traction, as we've seen,” pointed out Grassi, often because they were too complicated or onerous and were seen as duplicative of existing compliance requirements. On the front end, the federated login process had to be seamless, yet transparent to the user. “So these trust frameworks or whatever they're going to become in the future have got to become much more lightweight,” Grassi said, perhaps as simple as the Underwriters’ Laboratory sticker that adorns safety-certified electronic devices. “Best Buy doesn't sell anything that doesn't have the UL sticker on the back of it. So we know we can (safely) buy from Best Buy. We need to get something like that in the identity space,” Grassi concluded.

Another reason for the failure of the federated identity concept, according to Grant, was that the expected return on investment didn’t materialize. “On the consumer side, the business case has never really been as strong as we thought or maybe fantasized that it was,” he said. “Relying parties in particular, haven't seen the appeal.” In part that was because, although remote identity proofing remained very challenging, “On the authentication side, it's gotten a lot easier,” due to the emergence of new technologies for multifactor authentication like the FIDO standard or behavioral biometrics—which validate a user continuously over the course of a log-on session by looking at patterns of how they use their mousepad, keyboard or swipe controls on a phone or tablet.

Identity proofing involves ensuring that the owner of an online account really is the offline person they claim to be. Authentication means ensuring that it is really the owner of the account logging on.  

As authentication has become easier, Grant said, it became more attractive for companies to manage their identity issues in house, especially given concerns about branding and customer experience. “A lot of relying party service providers aren't really incented to outsource [authentication] to a third-party identity provider; it makes a lot more sense to manage it themselves,” Grant said.

Overall, Grant added, “In both the public and private sector, it's been really hard, probably way too hard, to get different stakeholders to actually buy into this idea, particularly given that as you start looking at broader federation schemes … the different industries and stakeholder groups all come together with different drivers and different incentives.”

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Departments: 

Share Your Thoughts:

They gave it a red hot go! But NSTIC and numerous other grand federations (in the UK, Australia, Canada, both public sector and private) have come and gone. These schemes are intuitively sensible but they generally fail to grapple with the fact that federation disrupts “elegant, time-honored bilateral arrangements between relying parties and subjects, instead pushing complex and novel trilateral arrangements between relying parties, subjects, and identity providers” (https://www.secureid news.com/news-item/fractional-identity-an-alternative-to-nstic-federated-identity-models/).

The problem is identity is not what it seems. Bob might know Alice and he might introduce Alice to Carol but Carol needs to form her own relationship with Alice. The details that need to be known about us vary from one relationship to the next. In business, there is no universal identity provider who can be relied upon to vouch for everything about everyone.

Great comment, Stephen, Very insightful and concise. Thanks.

Share Your Thoughts: