CNET posted a story
last week suggesting that federated identity introduces a "single point of
failure" risk. This is a common objection to federated identity
systems in which the logic goes something like this: federated identity
requires a single authentication gateway which provides identity into multiple
services, if/when that gateway (or a
credential used to authenticate at that gateway) is compromised then all of the
relying services will be compromised. It is rarely stated, but I assume one
implication of this thinking is to leave the status quo in place - the status
quo being unique authentication credentials and identity profiles managed
locally at each service or application.
Newsflash for readers who subscribe to this single point of failure
argument...The status quo of digital identity is broken and badly in need
reform!
Each and every new data (Choice)point that surfaces offers more insight into the current sad state of identity assurance on the Internet. Among other things, federated identity opens the possibility to reduce the number of Choicepoints out there - Choicepoint being this week's convenient shorthand for a vulnerable database that contains sensitive identity data - and yet the federated model inevitably leads to a discussion of a single point of failure.
Currently there are thousands (if not hundreds of thousands) of points of identity failure on the Internet. How are they administered? What are their security processes? How responsive are they to an attack? What software do they run? What recourse do you have if their incompetence results in your identity being compromised? I am fairly certain that if you started now you could answer these important questions for each and every system that stores your valuable identity assets by the end of this decade, maybe - if only you knew every location where your identity data is stored. This is the status quo for identity – a myriad of unregulated, duplicative systems storing the key to your identity.
A Federated Future – some specifics…
So, if we can agree that the status quo needs reform, how can federated
identity help improve identity assurance? In my opinion the answer lies not
only in federated identity technology, but in the application architecture
changes that are enabled by federated identity. For example, each of the
above referenced 1000 points of failure has been built to rely on a local copy
of a complete identity profile (often including SSN, legal name, address,
etc.) for every user. This highly insecure duplication of key identity assets
is a result of applications being developed in a pre federation world where
relying on a local database was the only viable development option for
accessing identity profile information. Systems designed to use a
federated identity do not explicitly require a complete identity profile to be
stored locally. An application that relies on federated identity needs only
an opaque identifier that does not tie the "user" to an individual.
The risk of identity theft decreases significantly if all you can walk away
with is an opaque identifier and a history of transactions.
But what if a person's authentication credential for the federation starting
point is compromised? This risk is why federated identity projects often go
hand in hand with the roll out of strong authentication. The pervasive use of
user name/password as an authentication mechanism is one of the major
weaknesses in the way identity is handled in the status quo. In a
federated future, user name and password does not exist. Users establish their
identity using two factor or other forms of strong authentication and then their identity is
asserted on their behalf from these strong authentication points.
What about phishing and federated identity? Phishing is a complicated problem, but I would argue that one of the reasons people are susceptible to phishing attacks is that we are so conditioned to register our personal information over and over again. The fat fingered identity assertion is commonplace in the status quo, in a federated future highly trusted systems of record will selectively register only the identity information an application needs to deliver a service. An email asking for you to manually enter profile information will seem very out of place in the federated future.
Innovation is happening in the way digital identity is handled on the Internet. This innovation is largely in response to an obvious need for reform. For the reasons listed above and others that I am not bright enough to think of, future identity systems will rely on federated identity. In other words, the federated future is inevitable.
Note to the press: this conversation has evolved past single point of
failure objections to a discussion of the specific characteristics and architecture
of the federated future.