A Step Closer to Identity-enabled Transactions
Last week, the Kantara Initiative announced that it received final approval of their Trust Framework Provider (TFP) program as the only Approved US Government TFP certifying Levels of Assurance (LoA) 1, 2 and 3 non-crypto (non-PKI).
Having been involved with the Kantara Initiative Identity Assurance Work Group (IAWG), and the development of the Identity Assurance Framework for a few years, this milestone is significant. It signals the beginning of an era in which citizens will be able to rely on credentials of known LoA’s issued to them by trusted 3rd party providers to access US Government services online. These credentials will conform to the NIST Special Publication 800-63 guidelines.
The Office Management Budget (OMB) is driving a timeline within the US Government to foster the use of credentials issued at known LoA, starting with LoA 1, and eventually adopting LoA 2 and 3 non-crypto, for higher value US Government agency services in the near term.
This has been long coming, and while many hurdles had to be cleared, I commend the perseverance and leadership within the US Government and the Kantara Initiative for reaching this milestone. The first of many to come I am sure.
Why is this relevant?
In my view, there are a few reasons that make this milestone relevant:
- This is a sign of commitment from the US Government to the strategy for identity-enabling online services as described in the National Strategy for Trusted Identities in Cyberspace (NSTIC). Establishing an identity ecosystem of private sector entities that would issue and manage credentials at defined LoA that the US Government could trust was one of tenets of the overall strategy. And accepting Kantara Initiative as a TFP is an important milestone in the execution of the strategy
- It represents the first, of possibly many, private sector initiatives and organizations that will enable the next generation of identity federation within the US Government
- It materializes an initial set of policies and standards that is required to take to practice what for years have been discussed as utopian: “could we agree on a set of parameters that will convey trust, at known levels, to the parties involved in online transactions, such that high value online services can be provided in large scale”. The answer seems to be yes
What does this mean to you?
A few things will start to change over time, which will impact the way you interact with the US Government, and eventually with non-Government service providers online
- As an individual end user, you will start to see US Government web sites advertising that they can accept credentials from a list of providers that they trust. Hence, if you have credentials issued by one of these providers, you will not need to create a separate account on that web site - behold real identity federation!
- At lower LoAs, it is quite plausible to expect that some US Government sites allow you to use facebook or Gmail credentials (to name some) to log in within the very near term
- You will become more aware of privacy issues relating to digital identity, and in particular will give some consideration to which credentials to use for what kind of transaction
- There will be some debate over whether and how higher LoA credentials will have a direct cost to the end user, or if instead, they will have an indirect cost (i.e. they are given as part of a subscription to some other service)
What should we expect to see in the future?
I think that the future will be quite interesting an exciting as the NSTIC strategy execution continues:
- More organizations will become TFP, such as the Open Identity eXchange (OIX), creating a number of options and a market for credential issuers at various LoAs
- I very much believe that Identity Brokers will emerge as a result of the formation of the identity ecosystem, as stated in our January 3, 2011 predictions, but I doubt that this will happen in 2011. So I guess this will be a carryover into 2012
- Beyond technology or IT services providers, players in other industry sectors, such as banks and mobile carriers, will start announcing identity services that can be leveraged within the identity ecosystem. A case in point is the announcement by the Government of Canada trusting credentials issued by banks to access agency services online
- There will be a tipping-point-like adoption of services at LoA 3 in which the high-volume, high-value transactions sweet spot seems to be. Therefore, I anticipate that once a certain threshold be met, there will be an explosion of LoA 3 services and credential providers in the market
- There will be lots of debates over whether employers should issue NSTIC compatible credentials to its workforce, and whether these could be used under a personal context. These debates will unearth a number of privacy and security perspectives that we have not yet been able to discuss thoroughly, simply because there was no identity ecosystem per se. Moreover, this debate will also encompass whether employers should trust NSTIC compatible credentials that employees may already have, which have been issued by a 3rd party. This debate will result in a number of standards, policies and potentially even regulation around privacy and acceptable use, further blurring the line between consumer and corporate use of IT infrastructure: the consumerization of Enterprise IAM
- We will witness the end of PKI-centric user authentication, if it is not fully dead yet (there I said it: "there won't be a year of PKI"), and the extinction of programs such as HSPD-12, which will be replaced with more user friendly and cost effective non-crypto credentials, and will reach mass scale more rapidly
I will be very interested in your thoughts about this fascinating transformation that we are fortunate enough to see unfold before our eyes.