ID Management Standards Ready for Users

Article excerpt

After years of development, the concept of "federated identity" may be moving forward.

The Liberty Alliance Project, a 150-member alliance formed in September 2001, has completed its Identity Assurance Framework, a set of standards meant to help companies or organizations to authenticate someone online and then vouch for that person to enable access to other companies' Web sites without a second authentication.

The alliance recently shared the details of the framework and hopes that some companies will begin using it next year.

Jane Hennessy, a senior vice president at Wells Fargo & Co. and a co-chairwoman of the alliance's Identity Assurance Expert Group, said in an interview last week that bankers are in an excellent position to sell identity services.

"We've got a very large, strong, already authenticated customer base," Ms. Hennessy said. "There are a variety of institutions that can and do make a business out of this."

Brett McDowell, the executive director of the Liberty Alliance Project, said bankers have an opportunity to increase revenue using their current infrastructures and practices.

"Financial institutions have incredible upside for getting into this game," Mr. McDowell said. "They already have millions of authenticated users - well-identified, authenticated users."

Some observers are skeptical about how quickly the market for identity management will develop.

Rachel Kim, a research analyst at Javelin Strategy and Research of Pleasanton, Calif., said that very few U.S. banking companies other than Wells have made much of an effort in this area.

"They're sitting on this pool of vetted identities. It's just a question of how do they make money off it," Ms. Kim said. "They need an established business proposition."

The alliance says the framework could quickly establish a functional identity management market.

"We plan to have this thing nailed down and operational in 2008," Mr. McDowell said. "We have a sense of urgency to move forward, because many of our participants see immediate market demand."

The framework proposes auditable standards for federated authentication, with four levels of trust.

At Level 1, the relying party would put little or no confidence in the validity of an asserted identity, such a personal identification number used to register for a news Web site. At Level 4, the relying party would put a very high level of confidence on a credential, which could be required, for example, to authorize users to dispense controlled drugs. This level of identification could employ multifactor remote authentication through "hard" tokens, such as cryptographic keys on smart cards.

The project is aimed mainly at online access, but could also be used for access to physical sites.

The alliance plans to accept comments on the framework through yearend. Next year it plans to begin the first phase of a process to provide accreditation to assessors - probably big accounting firms - that would perform certification assessments for companies such as Wells that want to be "Credential Service Providers. …