Identity theft is fast becoming the new bête noire of the cyberworld, crowding out spyware, spam and viruses for that dubious honor. During the past several months, the media have splashed increasingly frightening cover stories, consumer alerts and other breaking news about people who've had their identities spoofed, credit cards hijacked and assets looted by unseen strangers lurking on the Internet.

Amid the growing hysteria, the identity-management industry sees a big black eye in the making, and it's beginning to formulate strategies for identity theft prevention, detection and remediation. For example, in June the Liberty Alliance formed a group to develop best practices to help businesses and consumers prevent online identity fraud. In a similar vein, Microsoft recently announced a retooled identity-management federation strategy - the Identity Metasystem - that underscores the need for identity-theft and privacy protection.

The unspoken subtext behind these initiatives is that trust - the foundation of identity-management federation-is in jeopardy if the industry doesn't proactively address identity theft on many levels. The stakes couldn't be higher. What's most worrisome is the growing prevalence of phishing, pharming and other social-engineering ploys to steal user information. These frauds strike at the very heart of the federation: users' trust in the authenticity of identity providers. If you can't trust that the party to whom you're presenting credentials is in fact what it claims to be, then nothing's truly secure.

Likewise, well-publicized break-ins to corporate databases have further shaken people's trust in the safeguarding of critical personal identity data. And massive theft of personal data creates another trust loss: Identity providers who've been victimized can no longer trust that the individual presenting credentials is who he or she claims to be.

In the face of never-ending identity thefts, the only way out of this downward spiral is to continue reissuing new credentials to affected users, but only after reputable agents have proofed those users to strong assurance, and only if the new credentials rely on biometrics for strong authentication. Clearly, this theft-unfriendly identity-management environment is a long way from being implemented in the real world and would be quite expensive, complex and cumbersome to universally deploy.