FSTC Reviews Online Identity Management Standards
In a report issued early in July, the Financial Services Technology Consortium rated as effective the Liberty Alliance--that is, the Identity Federation Framework via specification to enable functions for working online such as single sign on, session management, and account linkage facets of identity management.
As part of technical work to reveal the opportunities and weaknesses posed by Liberty, the group also evaluated the core SAML specification (owned by Oasis) that Liberty is built around for ID management and related capabilities.
The verdict? Technically speaking, Liberty and SAML proved to be fairly proficient with only a few adjustments in order to render them industrial strength. But the technology needs to be further buttressed by industry-wide agreement on best practices that addresses issues of liability, risk management, and compliance.
The writeup featured conclusions drawn from months of testing from three separate teams of FSTC members to determine the technical viability of Liberty and SAML for coping with the internet's toughest issues.
"Banks have always been concerned with the integrity of customer information, but in the online realm--with all the regulation around 'knowing your customer' and privacy and the rising tide of fraud and hacking--the need for true, unassailable authentication procedures is even more pronounced," says Mike McCormick, systems architect at Wells Fargo, San Francisco and a co-author of the FSTC study.
The three test projects looked at identity services in the context of business-to-business, business-to-employee, and business-to-consumer applications. "The B2B project involved use of affinity cards and mobile financial services," says McCormick. "The B2E situation looked at a scenario where an employee would log in to a corporate portal and link to travel and 401(k) sites without further log ins. The third scenario explored account aggregation without screen scraping and without the need to pass along your confidential log-in data to third party providers as is the case today."
The idea is to make a legal/technical/best practices framework that gives banks guidelines and helps them jump at opportunity without too much exposure in what is still, a danger virtual marketplace. …