Skip Links

Network World

  • Social Web 
  • Email 
  • Close

(Comma separation for multiple addresses)
Your Message:

A look at multi-LOA cases

GSA-hosted workshop highlights the need to solve the multi-LOA problem
Security Identity Management Alert By Dave Kearns , Network World , 08/25/2009
Kearns
Sign up for this newsletter now!

Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.

  • Share/Email
  • Tweet This
  • Comment
  • Print

The recent "Open Government Identity Management Solutions Privacy Workshop" hosted by the U.S. General Services Administration has engendered a lot of excellent discussion of emerging issues. I mentioned some of it  a couple of weeks ago, and today I want to explore another area that was covered in the workshop.

I wasn't there, but George Fletcher, the chief architect for identity services at AOL, was and he's written about it ("User experience and Levels of Assurance"). A critical point Fletcher makes is that "While the workshop was focused on issues related to LOA 1, the need to solve the multi-LOA problem came up over and over."

The Forrester Wave: Email Filtering, Q2 2009: Download now

Slideshow: Technology from the feds

If you're unfamiliar with the U.S. government's definitions of the various levels of assurance, they are:

Related Content

* Level 1: Little or no confidence in the asserted identity's validity.

* Level 2: Some confidence in the asserted identity's validity.

* Level 3: High confidence in the asserted identity's validity.

* Level 4: Very high confidence in the asserted identity's validity.

Fletcher goes on to illustrate a multi-LOA use case as follows:

1. User goes to government Web site where he can log in with a LOA1 credential (id from a provider the user already uses).

2. The user is redirected to their consumer LOA1 credential provider and logs in.

3. The user is redirected back to the government Web site with an LOA1 credential.

4. The user interacts with the Web site.

5. The user clicks on an option on the Web site that directs him to a new site (or a service within the existing site) that requires a LOA2 credential

6. The user arrives at the new site and does not have a LOA2 credential

7. The site informs the user that he needs a more secure credential and he can get one from the following locations.

8. The user selects one of the providers and is redirected to that site.

9. The LOA2 provider asks the user if he wants to use existing LOA1 providers as a factor in the LOA2 credential (here I'm thinking that an LOA1 credential could be used in bootstrapping to the LOA2 credential).

10. The user selects his current LOA1 provider (the one used when logging into the government site).

11. The user goes through some identity proofing process. (Note that this could happen off-line if necessary. The point is that the user ties his LOA1 identity to the LOA2 provider. This helps with seamless transition between levels.)

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.

  • Share/Email
  • Tweet This
  • Comment
  • Print
Comments (1)
Login
Forgot your account info?

Multi LoA CasesBy Allan Milgate on September 8, 2009, 2:00 amGeorge Fletcher’s scenario describes the usual “step-up” authentication, which is the alternative to an initial “strongest possible” authentication – refer to http://identityaccessman.blogspot.com/...

Reply | Read entire comment

View all comments

Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Most Read

View more Most Read

Videos

rssRss Feed

Latest News

rssRss Feed