Identity theft threatens federation

Identity theft is fast becoming the new bête noire of the cyberworld, crowding out spyware, spam and viruses for that dubious honor. During the past several months, the media have splashed increasingly frightening cover stories, consumer alerts and other breaking news about people who've had their identities spoofed, credit cards hijacked and assets looted by unseen strangers lurking on the Internet.

Amid the growing hysteria, the identity-management industry sees a big black eye in the making, and it's beginning to formulate strategies for identity theft prevention, detection and remediation. For example, in June the Liberty Alliance formed a group to develop best practices to help businesses and consumers prevent online identity fraud. In a similar vein, Microsoft recently announced a retooled identity-management federation strategy - the Identity Metasystem - that underscores the need for identity-theft and privacy protection.

The unspoken subtext behind these initiatives is that trust - the foundation of identity-management federation-is in jeopardy if the industry doesn't proactively address identity theft on many levels. The stakes couldn't be higher. What's most worrisome is the growing prevalence of phishing, pharming and other social-engineering ploys to steal user information. These frauds strike at the very heart of the federation: users' trust in the authenticity of identity providers. If you can't trust that the party to whom you're presenting credentials is in fact what it claims to be, then nothing's truly secure.

Likewise, well-publicized break-ins to corporate databases have further shaken people's trust in the safeguarding of critical personal identity data. And massive theft of personal data creates another trust loss: Identity providers who've been victimized can no longer trust that the individual presenting credentials is who he or she claims to be.

In the face of never-ending identity thefts, the only way out of this downward spiral is to continue reissuing new credentials to affected users, but only after reputable agents have proofed those users to strong assurance, and only if the new credentials rely on biometrics for strong authentication. Clearly, this theft-unfriendly identity-management environment is a long way from being implemented in the real world and would be quite expensive, complex and cumbersome to universally deploy.

Some have argued that federated identity-management is a fundamentally flawed approach that encourages identity theft. Nothing could be further from the truth. There's nothing inherently unsecure about federation protocols, such as Security Assertion Markup Language and Liberty Alliance Identity Federation Framework, or the way vendors and users have implemented them.

Rather, most identity theft originates in the massive online market for bulk user personal data that many consumer-facing businesses collect in normal operations. In addition, companies, carriers and other identity providers frequently implement lax controls on external access to identity information in their databases and directories, encouraging hack attacks.

The federated identity-management industry isn't the only sector of our economy that's looking for solutions to the multifaceted problem of identity theft. But the federated identity-management market realizes this is a bread-and-butter issue that threatens to overshadow all efforts to create a universal trust environment for interoperable e-business.

To its credit, the industry realizes that technical standards alone aren't the answer to identity theft and fraud. The threat is so multifaceted, pervasive and stubborn that it must be addressed with federated identity-management best practices that also take into account business, legal, consumer education and other considerations. A cross-disciplinary approach to identity theft protection - not purely technical approaches - should be the ongoing focus of Liberty Alliance and other industry groups.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.