Ross Anderson, a professor of Security Engineering at Cambridge University, presented his paper "Can We Fix the Security Economics of Federated Authentication?" this week at the Nineteenth International Workshop on Security Protocols. In Anderson's own words:
Using one service to authenticate the users of another is an old dream but a terrible tar-pit. Recently it has become a game of pass-the-parcel: your newspaper authenticates you via your social networking site, which wants you to recover lost passwords by email, while your email provider wants to use your mobile phone and your phone company depends on your email account. The certification authorities on which online trust relies are open to coercion by governments, which would like us to use ID cards but are hopeless at making systems work. No one even wants to answer the phone to help out a customer in distress. But as we move to a world of mobile wallets, in which your phone contains your credit cards and even your driving license, we'll need a sound foundation that's resilient to fraud and error, and usable by everyone. Where might this foundation be? I argue that there could be a quite surprising answer.
While Anderson's "sound foundation" solution did not win me over, I did agree with his assessment of federated identification, which presents a two-part problem.
First, not all authentications need the same level of assurance. Facebook does not need to be as sure that I am who I say I am as my bank does, nor does The New York Times online need to be as sure as my doctor does. That is an easy assessment to make, for the most part.
Second, as Anderson explains, is that different levels of investment are made to attain different levels of assurance for authentications, and those different levels of investment are driven by the liability associated with getting it wrong.
For example, neither my colleague Rich nor The New York Times online are that concerned about me circumventing the newspaper's authentication system to pose as Rich and post snarky comments about New Jersey in his name. If, however, I have his bank transfer funds to my account, thereby breaking the law and causing financial hardship to both him and his bank, then concerns about authentication are rightly elevated.
Anderson cleverly makes this investment issue concrete by talking about the costs associated with call centers, but in his paper, call center costs are more or less a surrogate for money that a merchant or bank or hospital is willing to spend to increase the assurance of their authentications, and thus reduce their aggregate risk from all the authentications they make.
So, in a federated identity framework, which identity provider makes those investments? Banks already invest heavily in secure authentication (or shift their liability, but that's another issue), but they are not in the business of providing authentication for anyone else, and nor are they likely to engage in such business. Consumers probably don't want to log into Facebook with their online banking credentials, whether the risks in doing so are real or imagined. Even if they do, Facebook doesn't want to pay the bank the costs associated with providing authentication at the level of assurance that banks require -- even with economies of scale -- or assume the liability associated with acting as an identity provider to banks.
It's not an easy problem to solve. Right now in the United States, the Obama Administration is developing the National Strategy for Trusted Identities in Cyberspace. The last public draft of the full strategy describes the problem succinctly:
This Strategy defines an identity ecosystem where one entity vets and establishes identities and another entity accepts them. To date, the appropriate apportionment of liability has prevented the cross-sector issuance and acceptance of identity credentials. The federal government must address this barrier through liability reform in order to establish the multi-directional trust required by transaction participants. The identity ecosystem promotes models that mitigate liability to an acceptable level relative to the benefits associated with participation in the ecosystem. In addition, the strategy will further sustain existing liability models and strengthen legislation to protect individuals and deter organizations from holding lawful individuals responsible for losses caused by unauthorized transactions.
The strategy provides the right framework. The question now is how do we implement operational solutions? And what threshold of liability will participants and users be able to bear before questioning any significant reform?