By some accounts, banks can accurately denote "who's who" of 90 percent of the U.S. population from a trove of authenticated identities. Reams of documents and data from customers have been compiled through "know-your-customer" regulations and account-opening marketing and sales tools. Uncle Sam, on the other hand, would have difficulty discerning anyone from Adam, given the balkanized user databases of federal agencies and the current lack of a centralized national-identity system. It's no surprise, then, that the federal government would like banks' help in creating networks of federated identity-or the concept of sharing vetted user credentials among organizations, including government and private industry.
Foremost among these plans today is the E-Authentication Initiative, a program organized by the U.S. General Services Administration, charged with certifying and organizing standards and protocols for both public and private shareholders for the government's E-Gov services build-out. Scott Lowry, a consultant working with the authentication group, says banks are highly regulated and identity management "is part of the fabric of the banking system." That means the industry "is sitting on the largest pool of credentialed users" among all potential private sources of authenticated identities, he says.
One hiccup in the government's plan has been the industry's limited interest in participating in federated identity. Only four institutions-Wells Fargo, Wachovia, National City Bank and an unidentified "university bank" -are participating in the 150-company E-Authentication Partnership, a stakeholder group formed last year to roadmap the public/private matters of trust levels and rules for issuing credentials. "For the other banks not interested, [it] is being done in such a way that it's kind of hard for a bank to understand how they can benefit from it," says Karen Wendel, CEO of the bank-owned identity authentication consortium Identrus, an EAP member itself. Much of the focus on advancing federated identity through the E-Gov initiative has been with technical issues, not policy and legal aspects. "There's not really an acknowledgement [from banks] that that was something that needed to be fixed," Wendel says. But could the logjam soon be broken?
As early as this month, the GSA is expected to announce its next major phase in federated identity, the E-Authentication Federation. The federation will be the infrastructure by which credential providers approved by the GSA, which partners with 23 federal agencies, will launch pilot programs. Among those key providers will include an undisclosed number of financial institutions.
The debut will involve only a half-dozen implementations through lower-profile specialty federal agencies, and be the first major iteration of the federated identity-authentication service rolled out for E-Gov. On-line credentialed users could surf in from third-party identity authenticators, ready to enroll in benefits or access sensitive personal data from a federal government agency without needing to re-authenticate. According to E-Authentication Initiative deputy manager Georgia Marsh, the audience for this pilot could be huge-as much as 50 percent of the country's enrolled on-line banking market would have access to the six government applications reachable through bank-credentialing portals. The GSA is "willing to accept credentials from third parties, not just banks, who meet their certification requirements," says Carol Boye Benson, founder and partner of Glenbrook Partners. "Of all the available classes of third parties, banks are the ones that have both a large established on-line credentialed base of customers and solid 'know-your-customer' practices in issuing those certificates."
The names of the partner banks participating are being kept under wraps with nondisclosure agreements for now. Wells Fargo's interest in the GSA's federated identity program is no secret, with its participation in the EAP as well as appearances by Wells senior vp for e-business, James Gross, at federated identity policy conferences. Gross and Wells Fargo officials declined comment, as did other two other large on-line banking players, Bank of America and Washington Mutual.
The scope of the banking industry involvement in the GSA's federated identity plans could potentially prove to be a milestone in the drive to make shared credentials a common cross-industry function. Universities, merchants and utility companies are possible generators of these authentications, but none has the reach, daily consumer contact or trust levels of banks. Announcing agreements and timeframes "would be one of the first of the advanced frameworks or federation...[and] that would be a big win for the federal government," says Dan Blum, senior vp and research director of the Burton Group.
Getting banks technically prepared for federated identity isn't considered an issue. Benson notes that most identity-management products banks invest income with federate identity components in the box. The GSA published plans for the E-Authentication Federation in the August 5 Federal Register, describing the new entity as infrastructure allowing the authorized exchange of information among approved GSA-credentialing providers and federal agencies. A single sign-on will allow a user to navigate from the credentialed portal site to government agencies. The federation will meet with the GSA's stated goals for the federated identity program: no reliance on a single standard, vendor, product or integrator; the ability to evolve with industry and technology changes; and the use of commercial off-the-shelf products demonstrating interoperability.
Why is this such an important topic? Simply put, Blum says, "It's the wave of the future." The 25 E-Gov initiatives signed into law by President Bush in 2002 basically envisioned putting the government on-line. Benefit applications, purchases, queries and any transaction with public entities are to evolve into electronic form, for easier citizen access and cost savings. The E-Authorization Initiative is the "enabler," Marsh says, for the other initiatives, all of which will require user authentication at some point to facilitate E-Gov promises. Citizens, federal employees and businesses officials will only need to be authenticated once, with a single set of tools.
According to Blum and GSA officials, live operations of some federated identity pilots have started but at primarily lower-activity level spheres of the government, like internal travel or grant-writing functions with universities.
Some federated identity models outside the GSA model have sprung up, such as direct contractual partnerships or industry-specific communities of federation. Many examples of the latter two have been slow to roll out, according to Blum, because of the many legal and procedural hurdles that have to be met even in simple one-to-one federations.
Wendel says the issue of liability has been under-analyzed with the GSA federated model, with no contractual commitments offered. The proposed model also depends on a "trust chain" that Wendel argues may not stand up under the brunt of differing authentication levels among organizations. That point could be moot if regulatory examiners push banks into multi-authentication in the years to come, as the Federal Deposit Insurance Corp. recommended in February, but she believes it won't be a compliance issue until late 2006. Or there could be unknown liability on the institution's part, ponders TowerGroup analyst George Tubin. What about those who were authenticated, but turned out to have stolen identities?
Communications specialist Brian Doherty says the GSA's pilot programs will feature the lower-level authentications at agencies with the open standards "SAML" assertion, an acronym for security assertion markup language, which has been supported by the Financial Services Technology Consortium for third-party federation.
One question banks must face is the reality of customer acceptance. Even with notable cases of data breaches and identity theft in the headlines, "customers aren't fleeing on-line banking, [even though] most institutions have not gone forward and strengthened their on-line authentication," says Tubin. Benson says the "overwhelming motivation" for banks to enter federated identity arrangements is for additional services and enhanced relationships with customers. "Banks have a secondary interest in what would be essentially a new stream of revenue, from the government paying for this authentication service," Benson says.
The business case for the federation is ultimately close access to government services, most likely through a banking site portal. With welfare and veterans benefits, grant applications and government loans, banks could "enable government applications as part of a services portfolio for their customers," Blum says. "One could imagine the various kinds of benefits."
