After years of development, the concept of "federated identity" may be moving forward.
The Liberty Alliance Project, a 150-member alliance formed in September 2001, has completed its Identity Assurance Framework, a set of standards meant to help companies or organizations to authenticate someone online and then vouch for that person to enable access to other companies' Web sites without a second authentication.
The alliance recently shared the details of the framework and hopes that some companies will begin using it next year.
Jane Hennessy, a senior vice president at Wells Fargo & Co. and a co-chairwoman of the alliance's Identity Assurance Expert Group, said in an interview last week that bankers are in an excellent position to sell identity services.
"We've got a very large, strong, already authenticated customer base," Ms. Hennessy said. "There are a variety of institutions that can and do make a business out of this."
Brett McDowell, the executive director of the Liberty Alliance Project, said bankers have an opportunity to increase revenue using their current infrastructures and practices.
"Financial institutions have incredible upside for getting into this game," Mr. McDowell said. "They already have millions of authenticated users — well-identified, authenticated users."
Some observers are skeptical about how quickly the market for identity management will develop.
Rachel Kim, a research analyst at Javelin Strategy and Research of Pleasanton, Calif., said that very few U.S. banking companies other than Wells have made much of an effort in this area.
"They're sitting on this pool of vetted identities. It's just a question of how do they make money off it," Ms. Kim said. "They need an established business proposition."
The alliance says the framework could quickly establish a functional identity management market.
"We plan to have this thing nailed down and operational in 2008," Mr. McDowell said. "We have a sense of urgency to move forward, because many of our participants see immediate market demand."
The framework proposes auditable standards for federated authentication, with four levels of trust.
At Level 1, the relying party would put little or no confidence in the validity of an asserted identity, such a personal identification number used to register for a news Web site. At Level 4, the relying party would put a very high level of confidence on a credential, which could be required, for example, to authorize users to dispense controlled drugs. This level of identification could employ multifactor remote authentication through "hard" tokens, such as cryptographic keys on smart cards.
The project is aimed mainly at online access, but could also be used for access to physical sites.
The alliance plans to accept comments on the framework through yearend. Next year it plans to begin the first phase of a process to provide accreditation to assessors — probably big accounting firms — that would perform certification assessments for companies such as Wells that want to be "Credential Service Providers."
Ms. Hennessy said the federal government and a number of industries, such as pharmaceuticals, energy trading, and aerospace, already require high levels of identity assurance, but a lack of standards forces each one to start from scratch on identity management issues. "They have to go through all that again with a big expense of time and resources," she said.
The technological issues have largely been solved, Mr. McDowell said. SAML 2.0, one of a family of "XML" languages that uses extensible markup language to automate data processing, has been accepted as a de facto standard for identity management by Organization for the Advancement of Structured Information Standards.
Pieces of the technology are already in use. Wells, for instance, uses Liberty Alliance Project protocols to allow users to sign on once for access to all of its retail banking Web sites, including those for online banking, brokerage, and bill payment.
Nacha, the electronic payments association, plans to use SAML for its Ebids system, which will begin testing next quarter and will use the automated clearing house network to connect billers, financial institutions, and consumers for electronic bill delivery and payment.
Ms. Hennessy said the establishment of standards could accelerate the interoperability of credentials.
"It's amazing how many interconnections there are among the different federations," she said. For instance, a drug maker may need high-level credentials for employees who file clinical trial results with the Food and Drug Administration, but it also may have manufacturing plants whose employees must file reports with the Environmental Protection Agency. "The perception is that these industries operate in silos, but the reality is they don't."
Mr. McDowell said that by certifying the assessors, "it enables those federations to more easily interfederate."
That shift would open up a new business opportunity, he said. "What we're changing in the marketplace with this process is the value proposition for people to get involved. We think we're going to change this economic model enough to see large growth."
Ms. Kim of Javelin said that the economics of the nascent identity industry remain very uncertain, and that the more immediate opportunity might be in the consumer market, rather than helping businesses work with government.
And though vendors certainly will go after the business, banks could be strong competitors, she said. "If you think about who you trust the most, and who you would want to be authenticated by, I would want to use my bank."
