A leading security think tank has warned that international efforts to build a reliable standard for online identity and authentication are in danger of being hijacked by commercial interests.
We are in danger of sleepwalking into an American-driven identity nightmare.
The Jericho Forum, a prominent IT security best practices organisation under the auspices of The Open Group, has raised the alarm about a US-based programme called the National Strategy for Trusted Identities in Cyberspace (NSTIC) that aims to come up with a solution that will allow consumers to operate online without having to remember multiple passwords or carry multiple security tokens.
NSTIC is currently considering proposals from industry and interested parties about the best way to proceed, and Jericho has submitted its own comments and suggestions for protecting identity online.
NSTIC proposal for protecting identity online
NSTIC developed its proposal for improved Internet identities earlier this year and has been seeking industry views on how the infrastructure might develop, primarily in the US, but also internationally. The NSTIC programme envisages “a vibrant marketplace that allows people to choose among multiple identity providers - both private and public - that would issue trusted credentials that prove identity.” With the trusted credential, the individual would then be able to access different services – such as email, banking or social networking – using the single credential and without having to memorise different passwords.
Jericho’s response to the NSTIC argued that any method of protecting online identity needs to put power in the hands of the user, rather than relying on a central repository of user details that might be open to a breach. It argued the UK government’s ill-fated National Identity Card Scheme was scrapped precisely because it attempted to gather too much personal information in one place, and suggested the US is in danger of following a similar path with NSTIC.
Paul Simmonds, a founding member of the Jericho Forum, said any set of guidelines needs to be open and accepted globally to become truly effective, and to allow the growth of Internet commerce in a secure manner.
“We need to bring it all together in an open way so we all do it the same way around the world. Otherwise we will get fragmentation, which is what’s happening at the moment,” Simmonds said. “If we don’t get involved in what the Americans are doing, we’re going to be stuffed. The rest of the world needs to get involved in this, or we’ll have a de facto standard imposed on us -- an American standard that doesn’t meet European privacy requirements.”
Jericho Forum Identity Commandments
Earlier this year, the Jericho Forum developed what it calls its Identity Commandments for an open identity system. These are a set of principles it says should be observed when planning an identity eco-system, using open and interoperable standards, and capable of operating on a global scale.
Simmonds said it has now been peer reviewed by security experts around the world, and has been received positively. “We’ve come to the conclusion our Identity Commandments are pretty good. People made a couple of tweaks here and there, but on the whole the Commandments have stood up to scrutiny,” Simmonds said.
The only problem, he added, is that a user-centric approach is less commercially attractive to the big corporations that might want to get involved. “The way to make money out of identity is by setting up what we would call a super-persona, where the individual deposits all their details, and the company holding the information earns a micro payment each time the data is referenced to prove their identity,” Simmonds said.
But he warned the creation of large databases of personal data would provide criminals with an attractive target, and would still suffer from the lack of a strong root of trust to provide the individual’s identity. “Logging in with username and password is not a good idea,” he said.
The Jericho approach avoids the creation of centralised databases, and allows the user to manage their own identity, he said. For example, users could hold their identity on a smartcard with a fingerprint reader, near-field communications and some form of RFID.
Users would register initially, maybe at the post office, using documentation to prove their identity, and they would have their fingerprint registered for use on the card. Cards would only operate with the finger on the reader, providing “an immutable link to the person,” according to Simmonds. Users could then enrol the encrypted credentials contained in the card against other services, such as their credit card company.
“It means my 78-year-old mother could get a credential card and use it for all she needs to do on the Internet, from online banking to buying from Amazon. She can link her Visa card to it, and her home address to it, and that would allow her to do secure transactions using the one credential card,” he explained.
“She can authenticate herself every time by just putting her finger on the card. This approach passes the ‘Can you explain this to your mother?’ test, and is deliverable today – we just need to combine some technologies and the necessary crypto to make it work.”
For IT people, he said, such initiatives require a change of mindset because IT’s approach to identity is usually through directories such Active Directory and LDAP, which rely on having a central reference point for other systems to consult.
Simmonds also warned a new identity scheme needs to be truly global. “Doing something at a national level isn’t going to cut it,” he said. “It has to be accepted internationally. A system developed for America may not be accepted by China, and vice versa. Like crypto, it has to be an open standard. Everyone accepts AES because it is an open standard; everything is published, and it was done by open competition. This is what we have suggested as part of our NSTIC response.”
He encouraged more European organisations to get involved in the discussions with NSTIC. “If not, we are in danger of sleepwalking into an American-driven identity nightmare,” he said.
Jericho will host a free one-hour webinar on Jan. 18, 2012 to discuss the issue.