It has become alarmingly clear: e-commerce will not thrive on usernames and passwords alone.
Identity theft and online fraud are forcing financial institutions, governments and other organizations to quickly find ways to improve Internet security. In October 2005, the Federal Financial Institutions Examination Council (FFIEC) issued updated guidance on the risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services-strongly recommending that banks comply with the guidelines by the end of 2006.
This development, along with growing consumer concern, has heightened urgency around the adoption of strong authentication.
Strong authentication, as it's most often called, requires at least two forms of identity authentication for accessing a network or online application. This usually means combining something a user "knows," such as a password or challenge/response question (what's your pet's name?), with something a user "has," such as a token or smart-card.
What a person "is," determined by a photograph, a biometric scan or fingerprint, to ensure authentication may also be included with stronger authentication to verify identity. The difficulty comes in combining these three forms in a way that balances the certainty of the person's identity against the possible user experience barriers/difficulties created by this additional checking.
One of the primary concerns around strong authentication is interoperability. In order for strong authentication to have maximum benefit and impact, solutions must be able to interact seamlessly.
For instance, let's say a user wants to sell stock in a brokerage account, transfer the money to a checking account and then transfer the funds to buy a car...all via online transactions. Strong authentication assures that it's really the user on all three sites-brokerage, bank and auto dealer.
To date, most strong authentication solutions have been built using proprietary technologies and developed based on the requirements of specific vertical markets. As a result, many of these solutions cannot interoperate with each other and can be costly to deploy.
In late 2005, the Liberty Alliance took a hard look at these critical challenges and established the Strong Authentication Expert Group to help organizations meet new industry and government demands for stronger authentication solutions.
In addition, many Alliance members, including those working in financial services, the global security market and various government sectors, have been working on strong authentication initiatives-on their own-for quite some time.
During the past year, the Liberty Alliance has also been working to develop the market requirements for appropriately deploying strong authentication in a federated environment. To date, the focus has been on determining business use cases and determining what existing standards activity is out there already so we don't re-create the wheel.
Once that's done, we'll determine what additional standards may be required. At any rate, one could expect that LAP will issue policy and business guidelines to show the way toward successful deployments.
Liberty's Strong Authentication Expert Group is expanding Liberty's work beyond federation to build ID-SAFE (Identity Strong Authentication Framework), an open framework that allows hardware and software tokens, smart cards, SMS-based systems and biometrics to interoperate across organizations, networks and vertical market segments. ID-SAFE eliminates the need to rely on passwords and user names alone.
The work coming out of Liberty's Strong Authentication Expert Group goes hand in hand with the work that the Alliance has been doing in open, interoperable identity specifications. The key word here is interoperable.
For example, one concern that some financial services organizations have is around the emergence of "token necklaces" that is, requiring consumers to have unique tokens for authenticating themselves at the various financial institutions where they have accounts-thereby forcing multiple tokens on each consumer. ID-SAFE aims to enable these individual mechanisms to interoperate, reducing costs, increasing security and improving the ease of use.
The Liberty Alliance is modeling the ID-SAFE technical development process on the success the group has had in introducing identity specifications for federated identity management, including Liberty Federation-which consists of ID-FF 1.1, 1.2 and SAML 2.0 specifications--and Liberty Web Services, which consists of ID-WSF 1.0, 1.1.
It took less than seven months from the time Liberty was formed in 2001 for it to deliver its first set of identity specifications, and the goal is to keep a similar pace with the development of ID-SAFE.
The success of the development process around these standards helped accelerate rapid deployment and worldwide implementations.
Liberty also incorporates relevant work from other open standards bodies into its specifications and welcomes any open standards bodies to participate in the development of ID-SAFE.
The Liberty Alliance believes ID-SAFE will help drive mass adoption of strong authentication by dramatically reducing the costs and time required to deploy and manage strong authentication solutions. It will increase ease of use and interoperability across all vertical segments and provide organizations with opportunities to focus on developing new lines of business with the freedom of not having to worry about compromising their customers' identities and personal data.
On the consumer side, Liberty Strong Authentication aims to offer increased protection against identity theft and fraud, a seamless user experience across networks and advanced privacy protection-from anonymous to strong-based on individual user consent and controls.
The U.S. FFIEC guidelines were definitely served to put the banking industry on notice that the FFIEC sees this as an important issue, and if the industry doesn't address it, one should expect the imposition of regulations (versus guidance).
While the type and extent of guidance issued by governments tends to vary from country to country, Australia, Belgium, Brazil, Denmark, Hong Kong, Singapore and the UK, are already either requiring or promoting some degree of strong authentication in various vertical segments. Undoubtedly, other governments will implement similar requirements for stronger authentication during the coming months.
As organizations moved rapidly toward a password "breaking point," they will need to strengthen user authentication with alternative security methods. Organizations should begin planning now for their eventual transition from passwords to stronger authentication methods. A standards-based framework, ID-SAFE provides a roadmap for transition and helps make the Internet a safer more secure place for doing business.
Roger K. Sullivan serves as VP of the Liberty Alliance's Management Board and is VP of business development for Oracle's identity management solutions.
