Online Identity Schemes: Innovation, Privacy, Security and the Future.

Introduction to the world of Online Identity

Identity is our very essence, it is our being and it is how we communicate with the world. The fact that we now need to digitize our identity means that we have to find new and novel ways of communicating information about ourselves in a way we haven’t naturally evolved to do so. Instead we have to create technical paradigms to take our real world identifying features and use digital versions of these that can be communicated programmatically. This idea, simple on paper, has created a mass movement looking at how best to do that. In the last ten years online identity has transformed from a login to a company resource, to full blown mass scale, citizen identity scheme, like that in the UK and New Zealand.

In this article, I will explore the innovations taking place in the digital identity space and some of the hurdles, like privacy, security, verification and user centricity, that needs to be addressed to get the most out of such schemes.

The Near Past

I have often found that to understand something you need to understand where that something has come from. This is no less so in the identity space.  Digital identity has been through a turbulent evolution in the past ten years. The selection forces for this evolution have been wide and various, but include changes to the way we communicate online, the ecommerce explosion, social platforms, digital government schemes and the fuzziness of the new corporate perimeter. If we were to condense this down into a simple concept, we could describe digital identity as originally something that existed within a closed infrastructure, like a network directory, to now needing to work across an open system, the Internet and even beyond, now we have the Internet of Things.

In its previous incarnation, digital identity belonged to the organization that created it, rather than the individual it referred to. For example, a network directory would hold various identity attributes about an individual employee, their name, address, employee ID, role and so on. Identification was not really the goal; it was more about a simple method of authentication and access control.

Personal digital certificates were another scheme, used in an attempt to make identity more personal. The certificate authority that issued the certificate, had to check the user was who they said they were, before issuing the certificate. Personal certificates were used and still are in many European countries, but they have some drawbacks, including portability and cross device support, particularly if they are held on hardware or smart cards.

Modern Online Identity Schemes

The idea of individuals owning their own identity started to take shape in the early 2000s. Discussion around just what is a digital identity was became heated, and philosophical point scoring became quite popular in identity circles. These debates still rage, but one thing is certain, digital identity is composed of personal identity attributes, sometimes called, ‘claims’, which can literally be anything, from your name and address, to medical records and degree certificates.

As the use of the Internet grew, various other driving forces, some of them mentioned above, came into play. These new platforms needed to have a more fluid approach and offer fully online methods of identification for transactions. The idea of the user, rather than the corporation, becoming the identity owner, came into existence in the form of ‘user-centric’ identity and identity ‘eco-systems’.

The Identity Eco-System

An identity eco-system is made up of a number of key players, that each service a different part of an online identity transaction. So typically, you would have as a core:

  • Service provider, for example, a digital government service (SP)
  • An identity provider, this is a platform that issues and manages a person’s online identity and often also provides authentication checks (IdP)
  • The identity owner, e.g. the user

You may also have as part of the eco-system:

  • Attribute provider – a third party who may provide identity attributes, for example a medical insurance company (AP)
  • A verification service, for example a credit file agency, who can check a person’s status
  • A third party authentication provider, for example, a company that offers specialist authentication devices like smart cards or similar
  • A hub – this is a central part of the eco-system that acts as a proxy service and is used to enhance privacy by preventing tracking of user service access by IdP’s

The eco-system participants work together to create the whole system. The system can also incorporate the principles of ‘federation’ or ‘single sign on (SSO)‘, which means that the whole system is then portable to other community members of the eco-system. In other words the same identity can be used across many service providers.

Frameworks and Standards

To help create the framework for online identity a number of non-profit organizations have entered the stage. Organizations, like the Kantara Initiative, OASIS and the Open Identity Exchange (OIX), bring together world experts on identity to help develop standards to define how online identity should work.

Hurdles to Identity Success

Privacy: Privacy issues have plagued online identity schemes. One of the pre-requisites of a user-centric, decentralized, identity eco-system is the retention of privacy of the user’s identity attributes and even total anonymization of a user’s identity during a transaction if required. How to achieve this is as much of a legal hurdle as a technological one. Attempts at introducing identity schemes, offline, such as the UK Identity Card scheme, have failed because of lobbyists attacking the lack of privacy of such schemes. One of the areas of interest of the privacy lobby, in online identity schemes, is to ensure that the IdP within any identity eco-system, is not able to track a users movement across the Internet. This is a difficult thing to achieve. Systems like the UK Government’s ‘Verify’ identity eco-system, have utilized a central ‘hub’ to create a ‘disconnect’ between the IdP’s and the services consuming the identities.  This, in theory, means that none of the identity providers can see which government service the user has transacted with.

Keeping individual attributes private can be achieved through technology. A good example is age verification. If a service needs to know if a user is over a certain age, or in a certain location, for example, to play on an online gaming site, then the identity provider (IdP) can use a number of different methodologies to send that information needed in an obfuscated, or privacy enhanced manner. For example, if the user is over 18, the IdP could return a simple ‘Yes or No’ response, rather than the user’s full date of birth. Similarly, if they need to be within a given European country to play an online game, then the IdP would return a ‘Yes or No’ to being in that locality at the time of play.

New protocols are now being developed to enhance the whole area of user consent and privacy of individual attributes and related content. The Kantara Initiative has a working group called User Managed Access or UMA. This group has developed a protocol based on OAuth 2.0, which can be used to build technologies where user consent is a central part of the architecture. In addition, the use of, for example, ‘hub’ components, which can be based on SAML 2.0 or OpenID Connect, can prevent IdP’s from tracking a user’s use of an identity, at associated services in the eco-system.

Security: The transaction of personal data across the Internet has never before been so dangerous. In 2015, Javelin Research recorded the identity theft of 13.1 million people in the USA. In Europe, according to a EU Commission report, “Cyber Security”, on average, 12% of EU citizens has experienced online fraud and 68% of Europeans are very concerned about online identity theft. It is into this environment that online identity schemes have to operate. In a world where cybercrime is focusing on the theft of Personally Identifying Information (PII), within an Internet realm, these systems have to be built by architects who have a deep knowledge of web-based attack vectors. The Open Web Application Security Project (OWASP) is a good starting point for helping to create secure identity platforms as it identifies the main web attack points. But other areas such as anti-phishing and two-factor authentication also have to be integrated into the design.

Innovations and The Future

There have been a number of innovations in the world of digital identity, especially in recent years. These innovations are now also seeing real world implementations. The digital identity world has been forced to look at new and novel ways of digitally stating, I am who I say I am, within a context of increasing threats to personally identifying information (PII). Building schemes that are user friendly, secure, privacy respectful and that work for wide demographics of users, is a major challenge and arguably the greatest challenge that online living has presented us, thus far. However, great leaps have been made in recent years towards the goal of an assured, persistent, cross platform usage, digital identity, and in the next part of this series I will look at some of the innovations taking us into this new online identity realm as well as future directions.

Innovations and Future Identity

In the previous post we looked at the near past, and current challenges of designing and creating mass adopted online identity schemes. In this post we will look at some of the areas that innovation in online identity has taken place and that are being used to create robust, usable and effective identity platforms.

Innovations in Identity

Protocols: Having the right infrastructure in place to exchange messages across open networks, like the Internet, has been one of the greatest hurdles of online identity. In the early 2000’s the Security Assertion Markup Language (SAML) was released. This protocol has been widely used ever since, as the basis for many web-based access management schemes, across many industries. It is widely used in online citizen identity schemes across a number of global government projects. SAML was not, however, originally designed for our very modern, mass connected, ‘identiverse’. In the last 2 years a new contender has entered the identity protocol arena and one, which has been specifically designed to be simple and easy to use, both for the user and for the service (SP) consuming the identity. This new contender is OpenID Connect.

OpenID Connect has many advantages over SAML 2.0. It is more efficient for mobile use cases as it isn’t based on XML and it is very easy for service providers, like ecommerce sites, to setup support for an OpenID Connect identity. What this means, in effect, is that the barrier has been dropped, allowing any organization to work with and take advantage of, a modern identity scheme.

Authentication: Once identity moved from an internal, highly controlled, enterprise network, into an open, cross device, highly portable environment, it needed authentication measures to match. Authentication that is easy to use, secure and works across all devices and browsers is the bugbear of consumer identity schemes.  Currently password and username are the de facto method of many of the implemented modern schemes, simply because they are easy. As far as security is concerned they are wide open to abuse, not just from phishing, but also from simple user sharing of passwords. Many identity schemes that need to share sensitive identity attributes will require a second factor as well as a username and password (multi-factor authentication). Usually these second factor options are mobile based, using SMS codes, or mobile app based authentication methods, for example the Google Authenticator app. Other methods, like voice based mobile apps, or hardware devices, have so far proved either too costly, or not accurate enough, for wide scale adoption.

User-centricity: Making the user the center of the identity eco-system has been one of the biggest innovations in online identity. The idea of a user owning and consenting to the use of their identity attributes, was first encapsulated in a series of ‘laws’ by Microsoft identity guru, Kim Cameron in 2005 in his treatise “ The Laws of Identity”. In this seminal work, Kim proposed a new view of online identity which set out that a person’s identity comprised of ‘claims’, which are snippets of information identifying a person. He went on to state that these claims should be under the control of the user and that the identity system managing these claims should work on principles of privacy. This essentially turned the idea of digital identity on its head and since, modern identity schemes have tried to incorporate some, if not all, of his 7 laws.

Verification: In the past, because we used closed enterprise systems for our identity directories, checking someone’s status was simply a case of using pre-existing company or certificate authority checks. In the online realm, checking the status of an individual is infinitely more difficult. Any online identity that has any true worth needs to have the status of the identity owner checked, ideally, online, during registration and in real-time. Credit file agencies are the mainstay of online verification checks today. They have been working in this area for many years, providing the likes of ecommerce and online gambling sites, financial checks when a user signs up for an account. The same credit file agencies are now being utilized by online identity schemes to check individual identity status. These checks include, identity assurance, age verification, e.g. over 18 and financial status checks. They are part of the identity eco-system and add a level of assurance to a persistent and re-usable identity not available by other means.

Innovation in this area continues, however. Credit file agency checks can be onerous for the user; the journey through registration can become lengthy if very high levels of assurance are applied to the individual’s identity account. Work into using the social graph for verification checks is ongoing and many of the credit file agencies are themselves looking at more novel ways of checking a person’s status.

Attribute provision and personal data stores: During sign up for an online identity a user can enter their own personal information into online forms and this can provide the basis for their identity. However, other identifying attributes can be fed into the eco-system from third parties. For example, if you need to use your identity to apply for a job using an online recruitment service, you may need to show evidence of educational certificates, or IT certification exams, etc. In this case, specialized web services can be used to request the release of this information to the service requiring them.

Alternatively, users can have a personal data store to house their extended identity information. This store can be, itself, part of the general identity eco-system and as such connects to the other parts of the eco-system The store, however, is under the control and consent of the user who can choose to release information to various services on request.

Specialist data stores are also becoming more commonplace. These stores, sometimes called Personal Finance Management (PFM) systems, will provide interaction with services such as financial services, allowing users to aggregate their financial data and share it with chosen services.

Blockchain: The blockchain has now entered the identity arena as a ledger for handling identity data. Still in early stages, a number of companies and organizations in the identity space are exploring its use. The blockchain offers a means to create certified, time-stamped, verified identities, in a highly seamless manner, built specifically for online use. The potential of the blockchain in the identity space is major and could help to take online identity to the next, usable level adding real worth to a person’s online persona.

Identity Relationship Management (IRM)

IRM is the new IDM. Identity Relationship Management is a new way at looking at identity and one, which can inform design choices when creating online identity schemes.  IRM is about creating relationships built on trust between the various actors within an identity system. IRM is basically taking the last 10 years of identity research and creating a new way of looking at how online identity should work. The IRM group have created a new set of ‘laws’ called, “The Laws of Relationship Management”, which set out how online identity fits into a much wider web of people and things.

Real World Implementations and Futures

Online identity eco-systems are stating to mature and a number of global initiates are taking place to put large scale, mass adopted identity schemes in place. Some example include:

UK Verify Scheme: This is a UK government scheme, which looks to allow all UK citizens to have access to digital government services. The scheme is based on a user-centric, verified SAML 2.0 identity eco-system. The scheme uses commercial organizations, such as banks, credit file agencies, mobile providers and large UK brands like the Royal Mail, to provide the citizen identities (IdPs). The system has a central ‘hub’ which acts as a privacy enhancement component in the eco-system to stop the IdPs from seeing which government service the user has accessed.

New Zealand RealMe Scheme: This is a New Zealand government scheme, based on SAML 2.0. It provides citizen identities for New Zealand residents. Unlike the UK equivalent, the New Zealand system is allowing federation with non-government services.

USA NSTIC Scheme: The U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC) is working on a number of pilot schemes in various U.S. states to build out identity eco-systems. These pilots are attempting to find the best components and protocols for a user-centric, privacy respecting online identity scheme.

Switzerland E-Government 2.0: The future is now. This government scheme by Swiss canton Aargau provides all citizens, government employees and specific third-parties access to digital government services. Much like the UK Verify scheme it is based on a user-centric, verified SAML 2.0 identity eco-system. The scheme uses a number of different organizations to provide the identities (IdPs). The system uses USP Secure Entry Server® as the central ‘hub’ providing coordination between all IdPs and Service Providers in the eco-system, safeguarding privacy through user consent and anonymization where necessary, and ensuring overall security.

The future of online identity has to be one of trust and respect. Trust between the identity owner and the service consuming that identity. Trust comes from the commitment to security and respect for privacy. Once these are in place, the technologies such as privacy enhancement techniques, block chain and Internet focused protocols, can truly take digital identity to a place of real value; that is online verification, great user experience, single sign on and federation and most of all, user control to decide, when, where and with whom you share some of your most personal details.

Comments 1

Author Details

  1. Steve Wilson

    An important detail that can affect the way people frame privacy: PII is not usually “personally identifying information” but rather, “personally identifiable information”. That’s a much lower threshold definition. Data privacy laws worldwide tend to apply to any data that is identifiable, and not just that which is unique to a person and thus identifying.

Mathias Wyss

Mathias Wyss

Product Manager Web Access Management & Security Expert @ United Security Providers, MSc ETH, CISSP

Leave A Comment?