Protecting digital, online identities is quickly becoming a primary focus for governments the world over. To assist in safeguarding the future of online identities, ABI Research posits that the Federated Identity Model could well be the solution for government.
In a recent research study conducted by ABI, entitled “Securing Online Access to e-Government Services Through Federated ID,” the Federated Identity Model is examined as a possible means to bolster online government and health care utilities.
In addition to improving security and privacy, the Federated Identity Model provides an easy to operate, user-centric service for accessing e-government services. Using either mobile devices or dedicated secure credentials – or likely some combination of the two – federated identity could see the national ID or mobile SIM card used as an authentication token.
Despite being very early on in the process, ABI Research estimates that some 786 million Federated Identity Model credentials will ship in 2018. In the meantime, however, there are some federated solutions – particularly those that promise convenience to the user – have already made landfall.
“Single sign-on solutions seems to be a popular option because it makes things more convenient for the user,” says Phil Sealy, research analyst with ABI Research, and author of the report. “You have one set of login details, one password, one token, etc. to access multiple profiles – from a user perspective, that’s very helpful.”
Federated Identity Models doesn’t just promise a more streamlined experience for the user but for all involved in the process. “From a systems operator’s point of view, they no longer have to manage and maintain multiple accounts,” explains Sealy. “For example, governments could issue its personnel a single credential to crossover multiple utilities rather than use multiple credentials.”
As can be seen with the recent NIST report detailing the financial impact that the National Strategy for Trusted Identities in Cyberspace could have on the IRS, cost is also a factor well worth considering. “The federated identity model could reduce issuance costs, depending on the type of solution you deploy,” says Sealy.
The trust framework
But first things first, the Federated Identity Model essentially sees an identity service provider secure the link between user and service provider, creating what is commonly referred to as a trust framework. “The framework begins with a trusted digital identity issued to an individual, followed by a trusted identity provider that authenticates the identity,” explains Sealy. “Trust comes in when the user logs in and is diverted thru that third-party identity provider to complete the trust framework.”
Sealy goes on to explain that the framework establishes two things. “The service provider can say, ‘yes,’ this person is trustworthy and it also tells the user that, ‘yes,’ the web site is legitimate, thus creating a trust ecosystem,” he explains.
It is this establishment of mutual trust that not only acts as a key component of the Federated Identity Model, and is also one of its principal benefits. “A main benefit of the trust framework is that it provides trust for two parties; the service provider and the identity trying to access their service,” explains Sealy. “From the user’s perspective, the framework enables user to trust the web pools they are trying to access.”
Federated identity and privacy
Sealy reiterates that privacy is a major issue at the moment and could well be a determining factor for the Federated Identity Models moving forward. “I believe it’s going to go one of two ways,” says Sealy. “People could well be skeptical of it – particularly in the U.S. – because it’s another way to track our identities, see what we’re doing online including our online history.”
In the wake of current NSA leaks, this is certainly an understandable, and viable, sentiment. There may, however, be an alternative mode of thinking here. “On the other hand, the public could acknowledge what the technology does, a means to secure privacy and limit the amount of information you share with websites,” explains Sealy. “It’s a scenario where, for example, you wouldn’t need to provide as much information when you log into a blogging site as you would if you were trying to apply for a loan.”
Sealy’s predictions make sense, but the two opinions stand in stark contrast to one another. The prevailing sentiment is yet to be determined, but the government and health care sectors could be the catalysts for movement. “Moving forward, it will be interesting to see how the public reacts to it,” says Sealy. “In particular, if/when these digital identities are rolled out by federal agencies in health care and government how will the public perceive the adoption?”
If the current trend continues, the public will have to wrestle with this sooner than later. Sealy and ABI reveal that a significant interest has surfaced from government agencies, who are hoping to implement a trusted digital identity as well as a trusted ecosystem for users and service providers alike.
Initiatives like the national strategy in the U.S. and STORK in Europe are well on their way to defining the digital identity trusted eco-system and its accompanying responsibilities and levels of accountability using a single, digital credential to be trusted across both public and private organizations.
One digital ID to rule them all
Don’t be surprised if federated identity sounds familiar to you. Federated identity initiatives are already in place and being used by the likes of Facebook, Google and AOL.
Despite being a step in the right direction, Sealy explains that there is a chink in the armor of these current FIM initiatives. “There’s nothing to say that I can’t create 3 or 4 of these accounts under different personas,” says Sealy. “So a more secure alternative would be to provide each person with a digital identity that proves a person is who they say they are as well as provides a secure mechanism to authenticate them.”
It has been common practice for enterprises to conduct their identity business in house; with the prevailing idea being that “in house” is a relatively controlled environment. “Enterprises often like to keep all their information confined within their own four walls,” says Sealy. “This way, you know what’s there, you know what measures are in place.”
Some skepticism remains as to the safety of certain applications outside of those four walls, but as Sealy explains, outsourcing identity isn’t without its benefits. “As a rule, having somebody come in as a third party adds another layer of security, another security level to the ecosystem,” says Sealy. “From a secure digital identity perspective, a more secure method would be to establish a physical, digital credential for each individual person in the country.”
But who can potentially step in and accomplish this? “The best candidates for this are the major IT players and cloud security experts, or possibly smart card vendors who have well-established relations with governments worldwide requiring high levels of security,” explains Sealy.
Sealy’s colleagues at ABI posit that the likes of Gemalto, G&D, Oberthur and Morpho are best positioned for such a deployment as they can easily leverage their existing relations with government and financial institutions. Moreover, these companies could take advantage of trusted service manager solutions, providing a platform to offer identity as a service.
From here Sealy believes that with privacy, security and trust concerns abound federated identity shouldn’t be mandatory. “In an ideal world, it has to be optional,” says Sealy. “The user has to agree to opt in, rather than opt out.”
For more on ABI’s findings, find the full report here.