Umbrella Group Seeks to Bridge ID Management

Since most of the consortiums formed to promote interoperability among proprietary online identity management programs have had results that can best be described as ironic, the Kantara Initiative — the latest attempt to bridge automated architectures and bring a sense of harmony to authentication — has its work cut out for it.

"In America we have a bias at the top levels of management. There's a notion that standardization is noncompetitive," said Tom Wills, the senior analyst in charge of security and fraud practice at Javelin Strategy and Research in Pleasanton, Calif.

The tech-heavy focus of most federated ID efforts hasn't helped, Wills said. "These initiatives have had trouble getting the attention of the top management, even in member organizations, which initially give their cursory blessing, then the initiative often falls to seven or eight on the priority list."

The Kantara Initiative, launched in April, is positioning itself as an umbrella organization to meld and expand upon the collective efforts of many current ID interoperability groups that have agreed to participate. These groups include the Liberty Alliance, Concordia Project, Data Portability Project, the Information Card Foundation, the Internet Society, OpenLiberty.org and XDI.org.

On their own, this pre-existing gaggle of organizations has been unable to generate widespread enthusiasm among banks or tech firms — partly because of the impression that the various consortiums are competitive or politically oriented toward standards favoring specific solutions, participants in the new effort acknowledge. And the sheer number of groups also dilutes their stated goals.

"Anywhere north of a half-dozen organizations is infeasible," said Michael Barrett, the chief information security officer of the PayPal unit of eBay Inc., which is a member of the Kantara Initiative. "Every time three people got together to talk about identity, it would spin off a new organization."

Kantara (from the Swahili, meaning "bridge") is positioning itself as different from previous groups by arguing a business and marketing case for shared authentication protocols among banks, technology vendors and identity firms, as well as other industries such as health care, rather than focusing solely on technology.

The initiative's first output is expected in the next couple of months.

"This functionality could include more usability features for consumers, increased security and privacy for enterprise and social networking applications, and new methods for organizations to address compliance and liability issues," said Roger Sullivan, a vice president of identity management at Oracle Corp. and the president of the board of trustees of the Kantara Initiative.

The initiative has attracted 50 members — including Citigroup Inc., PayPal and Oracle — and its board of trustees includes AOL, Intel Corp., Fidelity Investments, Novell Inc. and Sun Microsystems Inc.

One focus of the initiative is getting three general categories of authentication to work together: federated identity, which uses the Security Assertion Markup Language and Public Key Infrastructure to enable authentication across organizations; Open ID, an open standard authentication protocol; and Information Cards, which are used by systems including Microsoft Corp.'s Windows CardSpace, DigitalMe and Higgins Identity Selector to manage electronic IDs for a variety of purposes.

Not everyone is completely sold. Stephen Wilson, a principal at the Australian identity technology firm Lockstep Consulting Pty. Ltd., wrote in a blog that silos are "carefully constructed risk management arrangements" that protect relationships in addition to identities, and breaking open these silos is "an incredibly complex exercise, and probably unbounded."

Wills said Kantara has done well at the launch phase to attract attention, but the long-term test will be selling the business imperative over the technological need.

"At least at the launch phase, it's had higher executive involvement," Wills said. "The proof is going to be if it can sustain its efforts and get through the political aspects of developing the standards and getting them into the industry."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER