Since most of the consortiums formed to promote interoperability among proprietary online identity management schemes have had results that can best be described as ironic, the Kantara Initiative - the latest attempt to bridge automated architectures and bring a sense of harmony to authentication - has its work cut out for it.
"In America we have a bias at the top levels of management; there's a notion that standardization is non-competitive," says Tom Wills, senior analyst in charge of security and fraud practice for Javelin Strategy and Research, who says the tech-heavy focus of most federated ID efforts hasn't helped. "These initiatives have had trouble getting the attention of the top management, even in member organizations - which initially give their cursory blessing, then the initiative often falls to seven or eight on the priority list."
The Kantara Initiative is an umbrella organization that hopes to meld and expand upon the collective efforts of many current ID interoperability groups that have agreed to participate. These groups include the Liberty Alliance, Concordia Project, Data Portability Project, the Information Card Foundation, the Internet Society, OpenLiberty.org and XDI.org.
On their own, this pre-existing gaggle has been unable to generate widespread enthusiasm among banks or tech firms - partly because of the impression that the consortiums are competitive or politically oriented toward standards favoring specific solutions. And the sheer number of groups also dilutes the stated goals. "Anywhere north of a half dozen organizations is infeasible," says Michael Barrett, CISO of PayPal, which is a member of the Kantara Initiative. "Every time three people got together to talk about identity, it would spin off a new organization."
Kantara is positioning itself as different from prior groups by arguing a business and marketing case for shared authentication protocols among banks, tech vendors and identity firms (as well as other industries such as healthcare) - rather than focusing solely on technology. The initiative's first output is expected in the next couple of months. "This functionality could include more usability features for consumers, increased security and privacy for enterprise and social networking applications, and new methods for organizations to address compliance and liability issues," says Roger Sullivan, a vp of identity management for Oracle and president of the board of trustees of the Kantara Initiative, which has attracted 50 members - including Citigroup, PayPal and Oracle - and whose board of trustees includes AOL, CT, Intel, Fidelity Investments, Novell, Sun Microsystems, and others.
One of the initiative's focus is getting three general categories of authentication to work together: federated identity - which uses the Security Assertion Markup Language (SAML) and Public Key Infrastructure (PKI) to enable authentication across organizations; Open ID - an open standard authentication protocol; and Information Cards - which are used by Microsoft Windows' CardSpace, DigitalMe and Higgis Identity Selector to manage electronic IDs for a variety of purposes.
Not everyone's completely sold. Stephen Wilson, an executive at identity tech firm Lockstep, wrote in a blog that silos are "carefully constructed risk management arrangements" that protect relationships in addition to identities, and breaking open these silos is "an incredibly complex exercise, and probably unbounded."
Wills says Kantara has done well at the launch phase to attract attention, but the long-term test will be selling the business imperative over the tech need. "At least at the launch phase, it's had higher executive involvement," Wills says. "The proof is going to be if it can sustain its efforts and get through the political aspects of developing the standards and getting them into the industry."
